Keep tunnel up

What is the preferred method to keep a l2l tunnel up between a 3030 concentrator and a asa 5505? Is just sending pings through the tunnel enough or are there keepalives I can configure?

look into enabling isakmp Keepalives, go over this link.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro
Rgds
Jorge

Similar Messages

  • IPSec Tunnel: Idle timeout

    Friends,
    I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.
    Best Regards
    Rameez

    There are few ways to keep tunnel open
    -Periodic isakmp keepalives
    crypto isakmp keepalive
    -How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime
    isakmp policy 20 lifetime
    crypto ipsec security-association lifetime
    -Running NTP between the 2 routers thru the ipsec tunnel
    I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up
    M.

  • Weblogic server not starting

    All of a sudden my weblogic server is giving error while I am trying to run startWeblogic.cmd
    The admin server log trace is :
    D:\Middleware\SOASuite11g\user_projects\domains\SOAOSBDevDomain\servers\AdminServer\data\ldap\XACMLRoleMappermyrealmInit.initialized, will load full LDIFT.>
    ####<Jan 31, 2013 5:04:00 AM GMT> <Info> <Security> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608640170> <BEA-090074> <Initializing RoleMapper provider using LDIF template file D:\Middleware\SOASuite11g\user_projects\domains\SOAOSBDevDomain\security\XACMLRoleMapperInit.ldift.>
    ####<Jan 31, 2013 5:04:00 AM GMT> <Info> <Security> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608640216> <BEA-090075> <The RoleMapper provider has had its LDIF information loaded from: D:\Middleware\SOASuite11g\user_projects\domains\SOAOSBDevDomain\security\XACMLRoleMapperInit.ldift>
    ####<Jan 31, 2013 5:04:00 AM GMT> <Info> <Security> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608640794> <BEA-090093> <No pre-WLS 8.1 Keystore providers are configured for server AdminServer for security realm myrealm.>
    ####<Jan 31, 2013 5:04:00 AM GMT> <Notice> <Security> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608640794> <BEA-090082> <Security initializing using security realm myrealm.>
    ####<Jan 31, 2013 5:04:01 AM GMT> <Error> <JNDI> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608641326> <BEA-050003> <Cannot create Initial Context. Reason: javax.naming.ServiceUnavailableException [Root exception is java.net.UnknownHostException: Unknown protocol: 'TCP']
         at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:34)
         at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:792)
         at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:366)
         at weblogic.jndi.Environment.getContext(Environment.java:315)
         at weblogic.jndi.Environment.getContext(Environment.java:285)
         at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.InitialContext.<init>(InitialContext.java:197)
         at weblogic.jndi.internal.ForeignJNDIManager.<init>(ForeignJNDIManager.java:45)
         at weblogic.jndi.internal.ForeignJNDIManager.initialize(ForeignJNDIManager.java:53)
         at weblogic.jndi.internal.ForeignJNDIManagerService.start(ForeignJNDIManagerService.java:36)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused by: java.net.UnknownHostException: Unknown protocol: 'TCP'
         at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:216)
         at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:197)
         at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)
         at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)
         at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:170)
         at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:165)
         at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:345)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
         at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:340)
         ... 13 more
    >
    ####<Jan 31, 2013 5:04:01 AM GMT> <Info> <Server> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608641763> <BEA-002622> <The protocol "[snmp, https, t3, cluster-broadcast-secure, ldaps, cluster-broadcast, ldap, http, iiop, admin, t3s, iiops]" is now configured.>
    ####<Jan 31, 2013 5:04:01 AM GMT> <Info> <XML> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608641794> <BEA-130036> <Initializing XMLRegistry.>
    ####<Jan 31, 2013 5:04:01 AM GMT> <Info> <messaging.interception> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608641810> <BEA-400000> <Initializing message interception service>
    ####<Jan 31, 2013 5:04:03 AM GMT> <Info> <Store> <siebel-crm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1359608643013> <BEA-280008> <Opening the persistent file store "_WLS_AdminServer" for recovery: directory=D:\Middleware\SOASuite11g\user_projects\domains\SOAOSBDevDomain\servers\AdminServer\data\store\default requestedWritePolicy="Direct-Write" fileLockingEnabled=true driver="wlfileio3".>
    Please help. Its urgent
    Edited by: 831642 on Feb 20, 2013 5:13 AM
    Edited by: 831642 on Feb 20, 2013 5:20 AM

    Hi,
    It seems that one of your EJB is trying to access remote JVM using TCP protocol make sure to keep tunneling on your AdminServer and restart one more time.
    But still I doubt because it should look into different protocol.
    But you can try to enable it.
    you will find them under Server >> AdminServer >> Protocol.......
    Regards,
    Kal

  • IPSec Propogation Delay

    Dear All,
    I have cisco 3825 routers with AIM-VPN/EPII-PLUS on which i will run ospf and make tunnels between sites or between ospf routers.
    I need to know that using AIM-VPN/EPII-PLUS how much processing delay for one IPSec tunnel. Lets suppose, i make a ipsec tunnel between two routers using 3DES,SHA,Preshared key, how much time router will take to encrypt,hashing etc the packet.
    Hope u would get my point, what i want to know..
    Regards.

    There are few ways to keep tunnel open
    -Periodic isakmp keepalives
    crypto isakmp keepalive
    -How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime
    isakmp policy 20 lifetime
    crypto ipsec security-association lifetime
    -Running NTP between the 2 routers thru the ipsec tunnel
    I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up
    M.

  • Site-To-Site VPN disconnection

    Dear All,
    I have a site-site vpn  tunnel from  head office to branch office.When ever tunnel is idle,tunnel goes down.Is any possibility to keep tunnel live always .
    Please help on this.
    Regards,
    Shinu Mathew

    You don't tell us what device and what version you are using, so I just assume ist a fairly recent ASA.
    There you have a group-policy assigned to your tunnel-group. These group-policies have a default idle-time of 30 minutes. You can disable the idle-time there. Here an example to disable it in the default group-policy:
    group-policy DfltGrpPolicy attributes
    vpn-idle-timeout none

  • IPSec Tunnel - Keep alives

    Hi All,
    Have just configured an IPSec VPN peered with a Fortigate 610B. The issue i am having is that the line-protocol keeps going down due to inactivity on the tunnel.
    I have keep alives configured as you will see below, however they dont appear to be working...
    Any suggestions would be appreciated.
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key <password> address y.y.y.y
    crypto isakmp keepalive 10
    crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
    crypto ipsec profile Crypto-01
    set transform-set 3DES-SHA-HMAC
    interface Tunnel1
    ip address 10.255.255.5 255.255.255.252
    keepalive 5 3
    tunnel source x.x.x.x
    tunnel destination y.y.y.y
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile Crypto-01
    service-policy output p-map01
    CLEC-C2811-VPNC#sh interfaces tunnel 1
    Tunnel1 is up, line protocol is down
      Hardware is Tunnel
      Internet address is 10.255.255.5/30
      MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive set (5 sec), retries 3
      Tunnel source x.x.x.x, destination y.y.y.y
      Tunnel protocol/transport IPSEC/IP
      Tunnel TTL 255
      Fast tunneling enabled
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Tunnel protection via IPSec (profile "Crypto-01")
      Last input never, output never, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         172 packets input, 17949 bytes, 0 no buffer
         Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         118 packets output, 10052 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 output buffer failures, 0 output buffers swapped out

    Remove the keep alive config from the tunnel, I have found that keepalives only work on default GRE tunnel mode/encapsulation.
    Sent from Cisco Technical Support iPad App

  • How to: audit guest user traffic and keep it out of the tunnel

    Hi all,
    Project:
    Install AP in county library for local client use to the cloud via cable/dsl (vlan3) and maintain usage counters.
    Manage the AP thru the cloud, over the existing (3rd party) library network (vlan2), no client traffic.
    Sounds just like an OEAP using the private ssid.  Just no accounting that way.
    I read somewhere that ver 8.0 would let us flex internet traffic local and route everything else thru the tunnel,
    but that probably would not provide a usage audit either.

    Hi all,
    Well the question had a bit of obfuscation built in.
    I trunked my AP from the local switch...  native vlan 125.  Vlan 16 is the dsl pop.
    AP links to the WLC via 125.  Flex ssid is linked to the local vl16.  The flex ssid is wpa2/psk and the WLC tracks all associations there-too with MAC/IP data, adequate to create user/count data.
    Too simple.  I was thinking ACL's and all the rest.
    Thank you

  • L2L Tunnel keeps dropping

    I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code.  The main site has a T1 and the remote site is using a DSL connection.  About every other day I have to reset the connection at the remote site.  The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the  nat statement.  The connection usually comes back up and a few minutes.  I am trying to see what is causing this to drop.  Does anybody have any ideas?
    Thanks,
    TJ                  

    9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
    2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
    2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4
    I just enabled the crypto ipsec 255 and will post that when it drops again.
    Thanks,
    TJ

  • Yooo help me policeeee my blackberry bold 9230 keeps saying tunnel falled huhh ??

    iam trying log in my twitter saying tunnel failed geeting nerves how fix it my intnet woorking fine twitter was woorking find blackberry 9230 now muffing up grrrr i not smart soz yes speeling gves pepole brane bleeds next help me yooooooooooooooooooo kool

    Hello ineedsbiggerliger007 and welcome to the BlackBerry® Support Community Forums.
    Sorry to hear you are having difficulties logging in to the Twitter® for BlackBerry® smartphones application.
    Are you connected to a Wi-Fi® network or are you using the mobile network to connect?
    What version of Twitter are you using? 
    Are you able to log into Twitter on a computer? 
    -HMthePirate
    Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
    Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

  • IP Phone SSL VPN and Split tunneling

    Hi Team,
    I went throught the following document which is very useful:
    https://supportforums.cisco.com/docs/DOC-9124
    The only things i'm not sure about split-tunneling point:
    Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
    I could see many implementation when they used split-tunneling, like one of my customer:
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    banner value This system is only for Authorized users.
    dns-server value 10.64.10.13 10.64.10.14
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value prod.mobily.lan
    address-pools value SSLClientPool
    webvpn
      anyconnect keep-installer installed
      anyconnect ssl rekey time 30
      anyconnect ssl rekey method ssl
      anyconnect ask none default anyconnect
    username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
    username manager-max attributes
    vpn-group-policy GroupPolicy1
    tunnel-group PhoneVPN type remote-access
    tunnel-group PhoneVPN general-attributes
    address-pool SSLClientPool
    authentication-server-group AD
    default-group-policy GroupPolicy1
    tunnel-group PhoneVPN webvpn-attributes
    group-url https://84.23.107.10 enable
    ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
    access-list split-tunnel remark split-tunnel network list
    access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
    It is working for them w/o any issue.
    My question would be
    - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
    Thanks!
    Eva

    Hi,
    If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
    Did this answer your question? If so, please mark it Answered!

  • SonicWall Global VPN Client and Split tunneling

    Hello All,
    I searched Google and the forums here and can't find someone with the same problem.
    Lets start at the beginning-Just started this job a couple months ago and people brought to my attention immediately an issue while they were on the VPN they could not get to the internet.  I know about the different security risks but we have multiple field reps that need internet access while using our CRM program.  So I setup Split Tunneling on the Sonicwall. Tested and works fine on my home PC using a WRT54GS Ver 2.1 and the SonicWall Global VPN Client.
    So I was sure everything was fine until I just sent out 2 laptops to 2 different sales reps and they are both having the same issue.  They can get into the internal network but can't access the internet.  They are both on WRT54G (different Vers.).  I tested the VPN client on both laptops with tethering on my cell phone and the split tunneling works. I have tried updating firmware thinking that was the issue.  I also tried to put their home network on a different subnet.  All with no joy.  I was wondering if anyone ever ran into something like this or have any clues what to try next. 
    -Thank You in advance for your time.
    Message Edited by Chris_F on 01-11-2010 07:41 AM
    Chris F.
    CCENT, CCNA, CCNA Sec

    Of course, you do as you are told. But I hope you keep written record of what you have been told and have it signed of whoever told you to set it up. It's essential that you stay on the safe side in these matters.
    I have read of too many cases where the system/security admin did not do so and in the end was held responsible for security incidents simply because he was told to do something to jeopardize security of the network. Remember, that usually the person who tells you do to so has no idea about the full security implication of a decision.
    Thus, I highly recommend to require your road staff to connect with no split tunneling. Refuse to do otherwise unless you have it in writing and you won't be held reliable in any way if something happens because of it.
    Just think what happens if the whole customer database gets stolen because of one of the remote sales reps... There is a reason why you apply this web site blocking on your firewalls and there is absolutely no reason that would justify why your remote sale reps don't go through the very same firewall while accessing company-sensitive data in your CRM.
    So put that straight with whoever told you to do otherwise and if you they still want to continue anyway get it in writing. Once you ask for the statement in writing many decision-makers come to their senses and let you do your job at the best you can and for what you were hired... And if not, well, at least you got rid of the responsibility in that aspect.

  • Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

    Hi Rizwan,
    Thanks for your response.  I updated the configuration per your response below... It still doesn't work.  please see my new config files below.  Please help.  Thanks in advance for your help....
    Hi Pinesh,
    Please make follow changes on host: officeasa
    remove this line below highlighted.
    crypto dynamic-map L2LMap 1 match address Crypto_L2L
    It is only because group1 is weak, so please change it to group2
    crypto dynamic-map L2LMap 1 set pfs group1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
    Please make follow changes on host: homeasa
    It is only because group1 is weak, so please change it to group2
    crypto map L2Lmap 1 set pfs group1
    route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
    Hope that helps, if not please open a new thread.
    Thanks
    Rizwan Rafeek
    New config files..
    Site-A:   (Office):
    Hostname: asaoffice
    Inside: 10.10.5.0/254
    Outside e0/0: Static IP 96.xxx.xxx.118/30
    Site-B:   (Home):
    Hostname: asahome
    Inside: 10.10.6.0/254
    Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
    SIte-A:
    officeasa(config)# sh config
    : Saved
    : Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname officeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address 96.xxx.xxx.118 255.255.255.252
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.5.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
    access-list ormtST standard permit 10.10.5.0 255.255.255.0
    access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map OL2LMap 1 set pfs
    crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
    crypto dynamic-map OL2LMap 1 set reverse-route
    crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
    crypto map out_L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.5.101-10.10.5.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy ormtGP internal
    group-policy ormtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ormtST
    address-pools value ormtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type remote-access
    tunnel-group ormtProfile type remote-access
    tunnel-group ormtProfile general-attributes
    default-group-policy ormtGP
    tunnel-group ormtProfile webvpn-attributes
    group-alias OFFICE enable
    tunnel-group defaultL2LGroup type ipsec-l2l
    tunnel-group defaultL2LGroup ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
    officeasa(config)#
    Site-B:
    Home ASA Configuration:
    homeasa# sh config
    : Saved
    : Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname homeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.6.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    access-list hrmtST standard permit 10.10.6.0 255.255.255.0
    access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1   (IP address of the Dynamic IP from ISP)
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.6.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map L2Lmap 1 match address Crypto_L2L
    crypto map L2Lmap 1 set peer 96.xxx.xxx.118
    crypto map L2Lmap 1 set transform-set Site2Site
    crypto map L2LMap 1 set pfs
    crypto map L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.6.101-10.10.6.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy hrmtGP internal
    group-policy hrmtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value hrmtST
    address-pools value hrmtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type admin
    tunnel-group hrmtProfile type remote-access
    tunnel-group hrmtProfile general-attributes
    default-group-policy hrmtGP
    tunnel-group hrmtProfile webvpn-attributes
    group-alias hrmtCGA enable
    tunnel-group 96.xxx.xxx.118 type ipsec-l2l
    tunnel-group 96.xxx.xxx.118 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
    homeasa#

    Thanks Rizwan,
    Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
    homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
    Success rate is 0
    homeasa(config)# debug crypto isakmp 7
    homeasa(config)# debug crypto ipsec 7
    homeasa(config)# sho crypto isakmp 7
                                       ^
    ERROR: % Invalid input detected at '^' marker.
    homeasa(config)# sho crypto isakmp
    There are no isakmp sas
    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 0
    In Octets: 0
    In Packets: 0
    In Drop Packets: 0
    In Notifys: 0
    In P2 Exchanges: 0
    In P2 Exchange Invalids: 0
    In P2 Exchange Rejects: 0
    In P2 Sa Delete Requests: 0
    Out Octets: 0
    Out Packets: 0
    Out Drop Packets: 0
    Out Notifys: 0
    Out P2 Exchanges: 0
    Out P2 Exchange Invalids: 0
    Out P2 Exchange Rejects: 0
    Out P2 Sa Delete Requests: 0
    Initiator Tunnels: 0
    Initiator Fails: 0
    Responder Fails: 0
    System Capacity Fails: 0
    Auth Fails: 0
    Decrypt Fails: 0
    Hash Valid Fails: 0
    No Sa Fails: 0
    Global IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
    There are no ipsec sas
    homeasa(config)#

  • Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

    Hi,
    i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
    I have installed 50 Site-to-Site VPN tunnels, and they work fine.
    but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
    it happens when there is no TRAFIC on, i suspect.
    in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
    this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
    in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
    i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
    Any idea?
    Thanks,
    Daniel

    What is the lifetime value configured for in your crypto policies?
    For example:
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

  • VM with remote access VPN without split tunneling

    Hello experts,
    I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
    My Question to Experts:
    1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
    2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
    Thanks for your help,
    Razi                

    Did you figure this out?

  • How to set up Split Tunneling on ASA 5505

    Good Morning,
    I have an ASA 5505 with security plus licensing.  I need to set up split tunneling on the ASA and not sure how.  I am very new to Cisco but am learning quickly.   What I want to accomplish, if possible is to send all traffic to our corporate web site (static ip address) straight out to the internet and all other traffic to go though the tunnel as normal.  Basically we have a remote office that is using a local ISP to provide internet service.  IF our connection at the main office goes down, we want the branch office to still be able to get to our corporate website without having to unplug cables and connect their computer directly to the local ISP modem.   Any help with be greatly appriciated.   Thanks in advance.  Below is a copy of our current config.
    ASA Version 7.2(4)
    hostname TESTvpn
    enable password rBtWtkaB8W1R3ub8 encrypted
    passwd rBtWtkaB8W1R3ub8 encrypted
    names
    name 10.0.0.0 Corp_LAN
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif Corp_Voice
    security-level 100
    ip address 172.30.155.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    object-group network SunVoyager
    network-object host 64.70.8.160
    network-object host 64.70.8.242
    object-group network Corp_Networks
    network-object Corp_LAN 255.0.0.0
    network-object Corp_Voice 255.255.255.0
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
    access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0 any
    access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
    access-list VPN extended permit ip TESTvpn 255.255.255.0 any
    access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
    access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging buffer-size 10000
    logging monitor debugging
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Corp_Voice 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list data-vpn
    nat (inside) 1 TESTvpn 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (Corp_Voice) 0 access-list voice-vpn
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group Corp_Voice_access_in in interface Corp_Voice
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http TESTvpn 255.255.255.0 inside
    http Corp_LAN 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer 66.170.136.65
    crypto map outside_map 1 set transform-set VPN
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    telnet timeout 5
    ssh Corp_LAN 255.0.0.0 inside
    ssh TESTvpn 255.255.255.0 inside
    ssh 65.170.136.64 255.255.255.224 outside
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.64.4 192.168.64.3
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd domain sun.ins interface inside
    dhcpd enable inside
    dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd domain sun.ins interface Corp_Voice
    dhcpd enable Corp_Voice
    username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
    tunnel-group 66.170.136.65 type ipsec-l2l
    tunnel-group 66.170.136.65 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:953e50e9cbc02e1b264830dab4a3f2bd
    : end

    So I tried to use the exclude way that you suggested.   Here is my new config.   It is still not working.  The address I put in for the excluded list was 4.2.2.2  and when I do a trace route to it from the computer, it still goes though the vpn to the main office and out the switch at the main office and not from the local isp.   Any other suggestions?
    hostname TESTvpn
    domain-name default.domain.invalid
    enable password rBtWtkaB8W1R3ub8 encrypted
    passwd rBtWtkaB8W1R3ub8 encrypted
    names
    name 10.0.0.0 Corp_LAN
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.31.155.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif Corp_Voice
    security-level 100
    ip address 172.30.155.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    object-group network SunVoyager
    network-object host 64.70.8.160
    network-object host 64.70.8.242
    object-group network Corp_Networks
    network-object Corp_LAN 255.0.0.0
    network-object Corp_Voice 255.255.255.0
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list inside_access_in extended permit ip TESTvpn 255.255.255.0 any
    access-list inside_access_in extended permit icmp TESTvpn 255.255.255.0 any
    access-list Corp_Voice_access_in extended permit ip 172.30.155.0 255.255.255.0 a
    ny
    access-list Corp_Voice_access_in extended permit icmp 172.30.155.0 255.255.255.0
    any
    access-list VPN extended deny ip TESTvpn 255.255.255.0 object-group SunVoyager
    access-list VPN extended permit ip TESTvpn 255.255.255.0 any
    access-list VPN extended permit ip 172.30.155.0 255.255.255.0 any
    access-list data-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list voice-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list all-vpn extended permit ip TESTvpn 255.255.255.0 any
    access-list all-vpn extended permit ip 172.30.155.0 255.255.255.0 any
    access-list TEST standard permit host 4.2.2.2
    pager lines 24
    logging enable
    logging buffer-size 10000
    logging monitor debugging
    logging buffered informational
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu Corp_Voice 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list data-vpn
    nat (inside) 1 TESTvpn 255.255.255.0
    nat (Corp_Voice) 0 access-list voice-vpn
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    access-group Corp_Voice_access_in in interface Corp_Voice
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http TESTvpn 255.255.255.0 inside
    http Corp_LAN 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set VPN esp-3des esp-md5-hmac
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer 66.170.136.65
    crypto map outside_map 1 set transform-set VPN
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh Corp_LAN 255.0.0.0 inside
    ssh TESTvpn 255.255.255.0 inside
    ssh 65.170.136.64 255.255.255.224 outside
    ssh timeout 20
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd option 150 ip 192.168.64.4 192.168.64.3
    dhcpd address 172.31.155.10-172.31.155.30 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd domain sun.ins interface inside
    dhcpd enable inside
    dhcpd address 172.30.155.10-172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd domain sun.ins interface Corp_Voice
    dhcpd enable Corp_Voice
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy excludespecified
    split-tunnel-network-list value TEST
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
      functions url-entry
      html-content-filter none
      homepage none
      keep-alive-ignore 4
      http-comp gzip
      filter none
      url-list none
      customization value DfltCustomization
      port-forward none
      port-forward-name value Application Access
      sso-server none
      deny-message value Login was successful, but because certain criteria have not
    been met or due to some specific group policy, you do not have permission to us
    e any of the VPN features. Contact your IT administrator for more information
      svc none
      svc keep-installer installed
      svc keepalive none
      svc rekey time none
      svc rekey method none
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression deflate
    username admin password kM12Q.ZBqkvh2p03 encrypted privilege 15
    tunnel-group 66.170.136.65 type ipsec-l2l
    tunnel-group 66.170.136.65 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8b3caaecf2a0dec7334633888081c367
    : end

Maybe you are looking for

  • Show LabVIEW VI Front Panel When Sequence Step Called

    Hello, By clicking on the "Show VI Front Panel When Called" checkbox in the Step Settings pane displays the LabVIEW VI Front Panel for approximately 100 milliseconds. Is there a configuration way to display the VI front panel for a longer period of t

  • Problems with auto update

    I just bought a new 60GB ipod video. When I connected to itunes on my pc, it started the automatic upload, but experienced an error after about 4,000 of the 6,000 songs in the library. It said "unknown error (Type 69)." After reading other posts, whe

  • Same Batch Number with different characteristics value

    Dear Gurus, I have the following scenerio: The finished goods should be maintain in batch with external number  and at the time of confirming the finished goods in co11n the client want to capture the finished goods value like length, width and diame

  • Initializing data in an Array of Clusters

    First, thanks in advance for reading this request. Second, the situation: I am using an array of clusters for process control. The cluster contains a boolean, a typedef ring control, and two numeric controls (doubles). Depending upon the user-request

  • Oracle 10g Release 2 (10.2.0.3)

    Hi, I have a problem while trying to install 10g release 2 (10.2.0.3) on Windows vista . while creating the database , its throws the below error message " Enterprise manager configuration failed due to the following error - Invalid value null for pa