L2L VPN Access-list crypto-interesting
Hi Everyone,I have a question.
I have ASA1 and ASA2 connected over a private IP cloud and two hosts behind each of the ASAs.
The tunnel is up and I can ping from host1 which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
When I do show crypto ipsec sa on ASA2 I see
#pkts encaps: 451, #pkts encrypt: 451, #pkts digest: 451
#pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451
and they are increasing, with every ping I send from host1 to host2. But when I do sh access-list cryptointeresting which defines my crypto interesting traffic on ASA2 I don't see increasing hits with every ping I send from host1 which is behind ASA1.
The question is if I am supposed to see crtyptointeresting access-list hits increasing on ASA2, when I ping host2(behind ASA2) from host1 which is behind ASA1 on the other end.
Thanks
Hi my friend.
When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.
Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.
You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.
I hope this clarifies your questions.
BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .
Have fun!
Raga
Similar Messages
-
SA500 VPN Access - list support
I have a site that has a need for 3 different remote vpn user profiles
I have 1 user that needs access to the entire private subnet
1 user needs access to just 1 address
1 user needs access to 5 of the ip addresses.
Is this possible? What other SMB security product will give me what i want?
ThanksHi,
On SA500 you can use SSL VPN Policies under VPN -> SSL VPN Server -> SSL VPN Policies.
1. For the user who need to access the entire private network, you can use full SSL VPN Tunnel.
2. For the user who needs to access only 1 IP address, you can use port forwarding. Under VPN -> SSL VPN Server -> SSL VPN Policies, select the user and hit 'Display' button. Add a SSL VPN Policy where allow the user to use only one IP address and deny the rest of your private network.
3. For the user who needs to access 5 IP address, you can again use port forwarding with the above step repeated for 5 addresses or you can use 'Resources'. Create a Resource and add objects to it (IP address you want to access). Then call this resource using SSL VPN Policies. You will need to deny rest of the private network incase you only need access to 5 IP addresses.
Thanks. -
Different "access-list outside_cryptomap" for every VPN?
Hi,
Just for my understanding.
I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?
Currently I have:
access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
But wondered if I could use some thing like:
access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks
When I do this though I guess it will cause a problem with the peer address?Is there a certain order I need to add the config into the CLI aswell?
I have this to add:
access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
crypto map outside_map 1 match address outside_MYcryptomap_1
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy CBSO-L2L
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key abcdefgh -
Hi,
if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
ThanksThere are two way you can filter traffic which is moving over VPN.
1) Filter at source ofcourse ACLs are required.
For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where 10.0.0.0/24 is configured .Lets assume port 80 we want to deny.
ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
permit any any
acess-group xxxx in inside
So this will deny port 80 and permit rest of the traffic.
2) You can configure VPN filter which is called under group policy .
Thanks
Ajay -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Access list to permit outbound VPN?
We have the following ACL assigned to WAN port of our Cisco 831:
access-list 111 permit tcp any any established
access-list 111 permit tcp host [*remote private ip snipped*] any eq telnet
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit gre any any
access-list 111 permit udp any eq isakmp any
access-list 111 permit udp any eq non500-isakmp any
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq 21068 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 3390
access-list 111 permit tcp any any eq 143
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq pop3
access-list 111 deny ip any any
Should that allow a host on the LAN to access a remote VPN connection (using Cisco VPN client)? Is anything else needed?
Router is running 12.3(8), already supporting inbound Cisco client connections and one remote LAN-to-LAN VPN.i have a few questions:
Are you sure that this is outbound, and not inbound on the WAN interface?
The thing that needs to be identified, is which flavor of IPSEC you are uing in the client. Standard IPSEC and IPSEC over UDP do not work well unless they have a 1 for NAT translation. IPSEC over TCP usually works if you are doing PAT'ing of some sort. If the VPN device on the other end can support IPSEC of TCP (COncentrator or PIX/ASA running 7.x) then set the client to use IPSEC over TCP. -
ASA 5505 Isolated Networks with Site-to-Site VPN Access
I'm in the process of setting up an ASA 5505 for a remote site and needed some assistance determining if what I want to do is possible as well as if I need to upgrade the license from Base to Security Plus.
Remote Site ASA 5505 Interfaces:
Outside (Interface 0) - Public Internet, Static IP (Connected to Sierra Wireless AirLink Gateway)
AMI (Interface 1) (VLAN 742) - 10.40.31.129/25
SCADA (Interface 2) (VLAN 772) - 10.70.0.5/30
I need to ensure that the two internal VLANs cannot access/talk to one another and the "SCADA" network cannot access Internet, just remote subnets across a VPN tunnel.
ASA will need to have three IPsec tunnels:
Tunnel 1 to SCADA Firewall
Remote Site - 10.70.0.4/30 Subnet
Central Site - 10.101.41.0/24 Subnet
Tunnel 2 to Corporate Firewall
Remote Site - 10.40.31.129/25 Subnet
Central Site - 192.168.110.0/24 and 192.168.210.0/24 Subnet
Tunnel 3 to Partner Firewall
Remote Site - 10.40.31.129/25 Subnet
Partner Site Subnets
The ASA is running 9.1(5) and ASDM 7.1(6).
I've attached a diagram of what the connections look like between sites.I reviewed your diagram attached and trying to give you as much as I can.
other gurus, pls correct me if I am missing anything.
if I remember correctly, with base license, you can set up vpn peers.
interface Ethernet0/0
nameif outside
security-level 0
ip address public ip, subnet mask
int e0/1
nameif AMI
security-level 100
ip add 10.40.31.129 255.255.255.128
int e0/2
nameif SCADA
security-level 10
ip add 10.70.0.5 255.255.255.252
route outside 0.0.0.0 0.0.0.0 public IP
tunnel-group 173.8.244.181 type ipsec-l2l
tunnel-group 173.8.244.181 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyScAdA
tunnel-group 173.8.244.189 type ipsec-l2l
tunnel-group 173.8.244.189 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEyC0Rp
tunnel-group 148.80.252.60 type ipsec-l2l
tunnel-group 148.80.252.60 ipsec-attributes
ikev1 pre-shared-key Pr3$h@r3DkEypArTN3R
crypto ikev1 enable outside -- enabling for outside interface
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 86400
crypto ipsec ikev1 transform-set kerseyami esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address SCADA
crypto map VPN 10 set peer 173.8.244.181
crypto map VPN 10 set ikev1 transform-set kerseyami
crypto map VPN 10 set security-association lifetime seconds 86400
crypto map VPN 20 match address CORP
crypto map VPN 20 set peer 173.8.244.189
crypto map VPN 20 set ikev1 transform-set kerseyami
crypto map VPN 20 set security-association lifetime seconds 86400
crypto map VPN 30 match address PARTNER-FW
crypto map VPN 30 set peer 148.80.252.60
crypto map VPN 30 set ikev1 transform-set kerseyami
crypto map VPN 30 set security-association lifetime seconds 86400
access-list SCADA extended permit ip 10.40.31.128 255.255.255.128 10.101.41.0 255.255.255.0
access-list CORP extended permit ip 10.40.31.128 255.255.255.128 192.168.110.0 255.255.255.0
access-list PARTNER-FW extended permit ip 10.40.31.128 255.255.255.128 subnets behind your Partner-FW
Note: on the other side of the firewalls, like SCADA side, CORP Side and Partner FW side, you need to configure same pre-shared key, same crypto ike 1 and 2 policies & same interesting traffic in order to have this working.
let us know how this works.
JD... -
L2L VPN Issue - one subnet not reachable
Hi Folks,
I have a strange issue with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).
I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets. There's a basic network diagram attached.
VPN 1 - is for traffic from the customer subnet 10.2.1.0/24. Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN works correctly.
VPN 2 - is for traffic from the customer subnet 192.168.1.0/24. Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24). This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
There are isakmp and ipsec SAs for both VPNs. I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211. This counter does increment when they send test traffic to DMZ144. I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA. I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
There is a route to both customer subnets via the same next hop.
There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
I suspect that this may be an issue on the customer end, but I'd like to be able to prove that. Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
Here is the relevant vpn configuration:
crypto map MY_CRYPTO_MAP 90 match address VPN_2
crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP 100 match address VPN_1
crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP interface isp
ASA# sh access-list VPN_2
access-list VPN_2; 6 elements; name hash: 0xa902d2f4
access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
ASA# sh access-list VPN_1
access-list VPN_1; 3 elements; name hash: 0x30168cce
access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
nat (dmz144) 0 access-list nonatdmz144
nat (dmz211) 0 access-list nonatdmz211
ASA# sh access-list nonatdmz144
access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
ASA# sh access-list nonatdmz211 | in 192.168\.1\.
access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
ASA# sh access-list nonatdmz211 | in 10.2.1.
access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who gets this far!Darragh
Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
HTH
Rick -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Remote access VPN access across LAN-to-LAN VPN
I have two sites (site 1 & site 2) connected by a LAN-to-LAN VPN. At site 1, users connect with a remote access VPN and need to be able to access resources at site 2.
I started out with same-security-traffic intra-interface configured.
Here is the output from both ASAs:
NM-ASA# show crypto isakmp sa
Active SA: 6
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 74.138.171.237
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 74.138.126.195
Type : user Role : responder
Rekey : no State : AM_ACTIVE
6 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
NM-ASA#
NM-ASA# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.5/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.5
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5E0D76C9
inbound esp sas:
spi: 0x969790AD (2526515373)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000003 0xFFFFFFFF
outbound esp sas:
spi: 0x5E0D76C9 (1577940681)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.6/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.6
#pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
#pkts decaps: 945, #pkts decrypt: 945, #pkts verify: 945
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 968FF103
inbound esp sas:
spi: 0xA49C8920 (2761722144)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28703
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x968FF103 (2526015747)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28702
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
#pkts decaps: 270, #pkts decrypt: 270, #pkts verify: 270
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 352, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 773AB6C7
inbound esp sas:
spi: 0xD34E0435 (3545105461)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914940/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x773AB6C7 (2000336583)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914941/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.128.0 255.255.224.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 66CD02A3
inbound esp sas:
spi: 0x531B430A (1394295562)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x01FFFFFF
outbound esp sas:
spi: 0x66CD02A3 (1724711587)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.7/255.255.255.255/0/0)
current_peer: 74.138.126.195, username: jnord
dynamic allocated peer ip: 10.1.20.7
#pkts encaps: 990, #pkts encrypt: 990, #pkts digest: 990
#pkts decaps: 1429, #pkts decrypt: 1429, #pkts verify: 1429
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 990, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 3
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.126.195
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 62241B76
inbound esp sas:
spi: 0xB1F2F97B (2985490811)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x62241B76 (1646533494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.4/255.255.255.255/0/0)
current_peer: 74.138.171.237, username: cbulmahn
dynamic allocated peer ip: 10.1.20.4
#pkts encaps: 832, #pkts encrypt: 832, #pkts digest: 832
#pkts decaps: 620, #pkts decrypt: 620, #pkts verify: 620
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 832, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.171.237
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 64CD5FBE
inbound esp sas:
spi: 0xCDFCE528 (3455903016)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x64CD5FBE (1691180990)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 5228, #pkts encrypt: 5228, #pkts digest: 5228
#pkts decaps: 5246, #pkts decrypt: 5246, #pkts verify: 5246
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5229, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3200F1CB
inbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373446/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373496/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.111.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 296, #pkts decrypt: 296, #pkts verify: 296
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 321, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EC77AF32
inbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373950/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373936/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.112.0 255.255.240.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 2910, #pkts encrypt: 2910, #pkts digest: 2910
#pkts decaps: 3794, #pkts decrypt: 3794, #pkts verify: 3794
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2996, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EEDD3278
inbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370659/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373556/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.128.0 255.255.224.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3034, #pkts encrypt: 3034, #pkts digest: 3034
#pkts decaps: 3748, #pkts decrypt: 3748, #pkts verify: 3748
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3034, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D1F3CBED
inbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370712/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373429/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
NM-ASA#
QSRCORPFW# sho crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
QSRCORPFW# sho crypto ipsec sa
interface: WAN
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list PEAK10VPN permit ip 192.168.0.0 255.255.192.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 2162, #pkts encrypt: 2162, #pkts digest: 2162
#pkts decaps: 1761, #pkts decrypt: 1761, #pkts verify: 1761
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2162, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BDC6A8EE
inbound esp sas:
spi: 0x966B78C0 (2523625664)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914547/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBDC6A8EE (3183913198)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914652/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.10.6/255.255.255.255/0/0)
current_peer: 74.128.145.69, username: administrator
dynamic allocated peer ip: 10.1.10.6
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.128.145.69
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0ED4D561
inbound esp sas:
spi: 0x70133356 (1880306518)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28521
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0001FFFF
outbound esp sas:
spi: 0x0ED4D561 (248829281)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28508
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.111.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 350, #pkts encrypt: 350, #pkts digest: 350
#pkts decaps: 379, #pkts decrypt: 379, #pkts verify: 379
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 350, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 16C7E578
inbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914923/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914939/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.112.0 255.255.240.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 5270, #pkts encrypt: 5270, #pkts digest: 5270
#pkts decaps: 4314, #pkts decrypt: 4314, #pkts verify: 4314
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5270, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9FAA12E6
inbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914358/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911355/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 11323, #pkts encrypt: 11323, #pkts digest: 11323
#pkts decaps: 11262, #pkts decrypt: 11262, #pkts verify: 11262
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11323, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10DEE5CE
inbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914033/28461)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913939/28459)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.128.0 255.255.224.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4206, #pkts encrypt: 4206, #pkts digest: 4206
#pkts decaps: 3490, #pkts decrypt: 3490, #pkts verify: 3490
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4206, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C688B5D
inbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914326/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911559/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
QSRCORPFW# -
VPN Access to an IP that can be accessed via EIGRP
I have a question. I have a VPN that sits on the external interface using the IP of 10.5.79.X/20. I have a production network connected to a corporate network using MPLS and EIGRP to share the routes. The production network can access the corporate network, but the the VPN users can't. I need to be able to access anything on that network which is mainly a 172.18.0.0 summarized by EIGRP network. I had this working before, but can't get it working again about my Firewall dumped on me.
ASA Version 8.4(2)
hostname hp-asa-5510-DR
enable password 1qF1n5PuI7A.2DV. encrypted
passwd 1qF1n5PuI7A.2DV. encrypted
names
dns-guard
interface Ethernet0/0
speed 100
duplex full
nameif external
security-level 0
ip address *142.189.26 255.255.255.252
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.5.64.6 255.255.240.0
interface Ethernet0/1.1
vlan 2
nameif Guest
security-level 90
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa842-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup external
dns domain-lookup internal
dns server-group DefaultDNS
name-server 208.67.222.222
dns server-group Guest
name-server 10.5.64.197
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.5.65.239
host 10.5.65.239
object network obj-10.5.65.253
host 10.5.65.253
object network obj-10.5.65.42
host 10.5.65.42
object network obj-10.5.65.219
host 10.5.65.219
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Cegedim
subnet 10.5.250.0 255.255.255.248
description dendrite site to site VPN
object network dfb
subnet 10.5.0.0 255.255.0.0
object network lausanne
subnet 192.168.250.0 255.255.255.0
description Lausanne
object network dfbgroup
subnet 10.5.0.0 255.255.0.0
object network DPT
subnet 10.5.16.0 255.255.240.0
object network hpbexch
host 10.5.64.198
object network hpbmsvpn
host 10.5.64.196
object network kacehost
host 10.5.65.189
object network hpbsentry
host 10.5.64.194
object network hpbMDM
host 10.5.64.195
object network hperoom
host 10.5.65.211
description healthpoint eroom server
object network spintranet
host 10.5.65.185
description sharepoint intranet
object network spsales
host 10.5.65.194
description sharepoint sales
object network spteams
host 10.5.65.183
description sharepoint teams
object network Guest
subnet 192.168.3.0 255.255.255.0
object network Crystal
host 10.5.65.203
object network ERPLN
host 10.5.65.234
object network ERPLNDB
host 10.5.65.237
object service dpt
service tcp source range 1 65000 destination range 1 65000
description dpt ports
object network Documentum
host 10.5.17.216
object network DPTDocumentum
host 10.5.17.216
description Documentum
object network EzDocs
host 10.5.17.235
description EzDocs
object network Aerosol
subnet 10.5.32.0 255.255.240.0
object network Brooks
subnet 10.5.128.0 255.255.240.0
object network DPTScience
subnet 10.5.48.0 255.255.240.0
object network LakeWood
subnet 10.5.80.0 255.255.240.0
object network Plant
subnet 10.5.0.0 255.255.240.0
object network warehouse
subnet 10.5.240.0 255.255.240.0
object network NotesApps
host 10.5.65.235
object network DPTNotes
host 10.5.17.246
object network DNSServer
host 10.5.64.197
object network GuestNetwork
subnet 192.168.3.0 255.255.255.0
object network KACE
host 10.5.65.189
object network mdm2
host 10.5.64.195
object network guesterooms
host 10.5.65.211
object network DNSServer2
host 10.5.64.199
object network asa_LAN
host 10.5.64.6
object network guestspsales
host 10.5.65.194
object network JohnsonControlServer
host 10.5.65.33
description JC Server
object network guestexchange
host 10.5.64.198
description Guest Exchange
object network guestmobile2
host 10.5.64.194
object network DPTDocB
host 10.5.17.215
object-group service EDI tcp
port-object eq 50080
port-object eq 6080
port-object eq www
object-group service Exchange tcp
port-object eq 587
port-object eq www
port-object eq https
port-object eq smtp
object-group service Lotus-Sametime tcp
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object eq 8081
port-object range 8082 8084
port-object range 9092 9094
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPN-MS tcp-udp
port-object eq 1701
port-object eq 1723
port-object eq 4500
port-object eq 500
object-group network Verizon-Servers
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.216.16.211 255.255.255.255
object-group network FDA_SecureEmail
network-object host 150.148.2.65
network-object host 150.148.2.66
object-group network Web-Server-Stuff
network-object host 204.71.89.34
network-object host 204.71.89.35
network-object host 204.71.89.33
network-object host 66.240.207.149
network-object host 68.168.88.169
network-object host 50.112.164.102
object-group service DFB-eRoom tcp
port-object eq www
port-object eq https
object-group network EDI-Customers
network-object host 129.33.204.13
network-object host 143.112.144.25
network-object host 160.109.101.195
network-object host 198.89.160.113
network-object host 199.230.128.125
network-object host 199.230.128.85
network-object host 205.233.244.208
network-object host 198.89.170.134
network-object host 198.89.170.135
network-object host 199.230.128.54
object-group service MDM tcp
description MobileIron ports
port-object eq 9997
port-object eq 9998
port-object eq https
object-group network OpenDNS
description OpenDNS Servers
network-object host 208.67.220.220
network-object host 208.67.222.222
network-object host 8.8.8.8
network-object host 68.113.206.10
object-group network healthpoint
network-object 10.5.64.0 255.255.240.0
object-group network vpnpool
network-object 10.5.79.0 255.255.255.0
object-group network dfb_group
network-object object dfbgroup
object-group network lausanne_group
network-object 192.168.250.0 255.255.255.0
object-group network DPTNetwork
network-object object DPT
network-object object Aerosol
network-object object Brooks
network-object object LakeWood
network-object object Plant
object-group network DM_INLINE_NETWORK_1
network-object object Cegedim
network-object object lausanne
group-object DPTNetwork
network-object object DPTNotes
object-group service DFB-Allow tcp
port-object eq 1025
port-object eq 1119
port-object eq 1120
port-object range 1222 1225
port-object eq 1433
port-object eq 1503
port-object eq 1516
port-object eq 1533
port-object range 16384 16403
port-object eq 1755
port-object eq 1919
port-object eq 1935
port-object range 2195 2196
port-object eq 3050
port-object eq 3080
port-object eq 3101
port-object eq 3244
port-object eq 3264
port-object eq 3306
port-object eq 3389
port-object eq 3724
port-object eq 4000
port-object eq 402
port-object range 4080 4081
port-object eq 4085
port-object eq 50080
port-object eq 5085
port-object range 5220 5223
port-object eq 5297
port-object eq 5298
port-object eq 5353
port-object eq 5550
port-object eq 5678
port-object eq 58570
port-object eq 5900
port-object eq 6080
port-object eq 6112
port-object eq 6114
port-object eq 6900
port-object eq 7800
port-object eq 8010
port-object eq 8080
port-object eq 8084
port-object eq 81
port-object eq 9081
port-object eq 9090
port-object eq 9997
port-object eq aol
port-object eq citrix-ica
port-object eq echo
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq rtsp
port-object eq sip
port-object eq sqlnet
port-object eq ssh
port-object eq 442
object-group network webservers
network-object host 204.71.89.34
network-object host 204.71.89.35
object-group network DM_INLINE_NETWORK_2
network-object object KACE
network-object object guesterooms
network-object object guestspsales
network-object object JohnsonControlServer
network-object object mdm2
object-group network DM_INLINE_NETWORK_3
network-object host 10.5.65.230
network-object host 10.5.65.232
network-object object hpbexch
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service kace tcp
port-object eq 52230
port-object eq www
port-object eq https
port-object eq 445
port-object eq netbios-ssn
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network VLAN_Switches
network-object host 192.168.10.10
network-object host 192.168.10.11
network-object host 192.168.10.12
network-object host 192.168.10.13
network-object host 192.168.10.14
network-object host 192.168.10.15
network-object host 192.168.10.16
network-object host 192.168.10.17
network-object host 192.168.10.1
object-group network Crystal_ERP
description Crystal Enterprise and Infor LN
network-object object Crystal
network-object object ERPLN
network-object object ERPLNDB
network-object object NotesApps
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group network GuestDNS
description DNS Servers for Guest
network-object object DNSServer
network-object object DNSServer2
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq 3390
object-group network DM_INLINE_NETWORK_4
group-object healthpoint
group-object vpnpool
access-list external_access_out extended permit object-group DM_INLINE_SERVICE_1 192.168.3.0 255.255.255.0 any
access-list external_access_out remark Production ACL
access-list external_access_out extended permit tcp any any object-group DFB-Allow
access-list external_access_out extended permit icmp any any
access-list external_access_out extended permit tcp any object-group Web-Server-Stuff
access-list external_access_out remark Site to Site connections
access-list external_access_out extended permit ip any object-group DM_INLINE_NETWORK_1
access-list external_access_out extended permit udp any object-group OpenDNS eq domain
access-list external_access_out extended permit ip object-group DM_INLINE_NETWORK_3 any
access-list split standard permit 10.5.64.0 255.255.240.0
access-list split standard permit 10.5.250.0 255.255.255.248
access-list split standard permit 10.5.128.0 255.255.240.0
access-list split standard permit 10.5.144.0 255.255.240.0
access-list split standard permit 10.5.16.0 255.255.240.0
access-list split standard permit 10.5.32.0 255.255.240.0
access-list split standard permit 10.5.96.0 255.255.240.0
access-list split standard permit 10.5.80.0 255.255.240.0
access-list split standard permit 10.5.48.0 255.255.240.0
access-list split standard permit 10.5.0.0 255.255.240.0
access-list split remark lausanne
access-list split standard permit 192.168.250.0 255.255.255.0
access-list split standard permit 172.18.0.0 255.255.0.0
access-list split remark HP
access-list external_access_in extended permit object-group DM_INLINE_SERVICE_2 any 192.168.3.0 255.255.255.0
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spsales object-group DM_INLINE_TCP_2
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spteams object-group DM_INLINE_TCP_1
access-list external_access_in remark Sharepoint
access-list external_access_in extended permit tcp any object spintranet object-group DM_INLINE_TCP_0
access-list external_access_in remark healthpoint erooms
access-list external_access_in extended permit tcp any object hperoom object-group DFB-eRoom
access-list external_access_in remark MDM2 VSP
access-list external_access_in extended permit tcp any object hpbMDM object-group MDM
access-list external_access_in remark New Sentry
access-list external_access_in extended permit tcp any object hpbsentry eq https
access-list external_access_in remark kace mgmt appliacne
access-list external_access_in extended permit tcp any object kacehost object-group kace
access-list external_access_in remark authentication server
access-list external_access_in extended permit object-group TCPUDP any object hpbmsvpn object-group VPN-MS
access-list external_access_in extended permit gre any object hpbmsvpn
access-list external_access_in remark HPB.NET new forest Exchange
access-list external_access_in extended permit tcp any object hpbexch object-group Exchange
access-list external_access_in remark EDI Inbound
access-list external_access_in extended permit tcp any host 10.5.65.42 object-group EDI
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list external_cryptomap extended permit ip object-group healthpoint object Cegedim
access-list external_cryptomap_1 extended permit ip object-group dfb_group object-group lausanne_group
access-list external_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DPTNetwork
access-list Guest_access_in extended deny tcp 192.168.3.0 255.255.255.0 object-group GuestDNS object-group DM_INLINE_TCP_3 inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group GuestDNS inactive
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Guest_access_in extended deny ip 192.168.3.0 255.255.255.0 10.5.64.0 255.255.240.0
access-list Guest_access_in extended permit ip 192.168.3.0 255.255.255.0 any
access-list Guest_access_out extended permit ip any any inactive
access-list Guest_access_out extended permit ip any 192.168.3.0 255.255.255.0
no pager
logging enable
logging buffer-size 1045786
logging asdm informational
mtu external 1500
mtu internal 1500
mtu Guest 1500
mtu management 1500
ip local pool HPVPNClients 10.5.79.0-10.5.79.254 mask 255.255.255.0
ip verify reverse-path interface external
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any external
icmp permit any internal
asdm image disk0:/asdm-645.bin
no asdm history enable
arp external *142.189.93 0024.c4c0.4cc0
arp timeout 14400
nat (internal,external) source static dfb dfb destination static vpnpool vpnpool route-lookup
nat (internal,external) source static dfb dfb destination static lausanne lausanne
nat (internal,external) source static healthpoint healthpoint destination static Cegedim Cegedim
nat (external,internal) source static DPTNetwork DPTNetwork destination static Crystal_ERP Crystal_ERP no-proxy-arp
nat (internal,external) source static healthpoint healthpoint destination static DPTDocumentum DPTDocumentum unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTDocB DPTDocB unidirectional
nat (internal,external) source static healthpoint healthpoint destination static EzDocs EzDocs unidirectional
nat (internal,external) source static healthpoint healthpoint destination static DPTNotes DPTNotes unidirectional
object network obj-10.5.65.239
nat (internal,external) static *142.189.82
object network obj-10.5.65.253
nat (internal,external) static *142.189.83
object network obj-10.5.65.42
nat (internal,external) static *142.189.84
object network obj-10.5.65.219
nat (internal,external) static *142.189.87
object network obj_any
nat (internal,external) dynamic interface dns
object network hpbexch
nat (internal,external) static *142.189.91
object network hpbmsvpn
nat (internal,external) static *142.189.82
object network kacehost
nat (internal,external) static *142.189.90
object network hpbsentry
nat (internal,external) static *142.189.92
object network hpbMDM
nat (internal,external) static *142.189.93
object network hperoom
nat (internal,external) static *142.189.88
object network spintranet
nat (internal,external) static *142.189.85
object network spsales
nat (internal,external) static *142.189.89
object network spteams
nat (internal,external) static *142.189.94
object network GuestNetwork
nat (Guest,external) dynamic interface
access-group external_access_in in interface external
access-group external_access_out out interface external
access-group Guest_access_in in interface Guest
access-group Guest_access_out out interface Guest
route external 0.0.0.0 0.0.0.0 *142.189.25 1
route external 10.5.16.0 255.255.240.0 *142.189.25 1
route external 10.5.32.0 255.255.240.0 *142.189.25 1
route external 10.5.80.0 255.255.240.0 *142.189.25 1
route external 10.5.128.0 255.255.240.0 *142.189.25 1
route external 10.5.240.0 255.255.240.0 *142.189.25 1
route external 10.5.250.0 255.255.255.248 *142.189.25 1
route internal 172.18.0.0 255.255.255.255 10.5.64.1 1
route external 192.168.250.0 255.255.255.0 *142.189.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-RADAuth protocol radius
aaa-server VPN-RADAuth (internal) host 10.5.65.253
key *****
radius-common-pw *****
aaa-server VPN-RADAuth (internal) host 10.5.65.240
key *****
aaa-server VPN-RADAuthHPB protocol radius
aaa-server VPN-RADAuthHPB (internal) host 10.5.64.196
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.5.0.0 255.255.0.0 internal
http 0.0.0.0 0.0.0.0 external
http 0.0.0.0 0.0.0.0 internal
snmp-server host internal 10.5.65.210 community ***** version 2c
snmp-server location Healthpoint.Vickery
snmp-server contact Jonathan Henry
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map external_map 1 match address external_cryptomap
crypto map external_map 1 set peer 64.126.222.190
crypto map external_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 2 match address external_cryptomap_1
crypto map external_map 2 set pfs
crypto map external_map 2 set peer 109.164.216.164
crypto map external_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 3 match address external_cryptomap_2
crypto map external_map 3 set peer 12.197.232.98
crypto map external_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map external_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map external_map interface external
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 4b54478c1754b7
30820563 3082044b a0030201 0202074b 54478c17 54b7300d 06092a86 4886f70d
01010505 003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 3837301e 170d3131 30313036 31393533
33395a17 0d313331 31323932 31343730 315a305b 311a3018 06035504 0a13112a
2e686561 6c746870 6f696e74 2e636f6d 3121301f 06035504 0b131844 6f6d6169
6e20436f 6e74726f 6c205661 6c696461 74656431 1a301806 03550403 13112a2e
6865616c 7468706f 696e742e 636f6d30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 c6609ef2 c19c47e9 016ce654 d151146e
5d213545 ca896f4e cbb2624c 5ea6d7f0 7f18a82b e441020b 74d6ebd4 b7ef34c9
97b80ce0 6eb1c1cc 3b296909 8a0a2ad7 2473fb60 ff0c9320 ec9b3fe3 82a501c4
3c3855bd e0822ce1 e1d1fb03 4609639f 9359653b 091b6b48 5ce22806 234a55e5
6f80ebba cfb68a22 6cd1e64e 756f22b5 13a6178d 9ffcfbbb 5ca4b773 50089a8b
7e966a23 d4711a49 44c101fc a6b68e26 6a8d57f3 2fed1f6f ce6b0535 498c5c97
bf0577fa 9d9a1e37 4ff3b9f0 913dac74 3f4d26c9 09aac485 ccd5dfb9 7aa226e8
89075829 eff0cf99 b642e679 5a9dfe74 e5899e30 e07b6bbf a92fab33 cb8d7f65
1d974861 8b02d78b bc7908a9 e70b1b59 02030100 01a38201 ba308201 b6300f06
03551d13 0101ff04 05300301 0100301d 0603551d 25041630 1406082b 06010505
07030106 082b0601 05050703 02300e06 03551d0f 0101ff04 04030205 a0303306
03551d1f 042c302a 3028a026 a0248622 68747470 3a2f2f63 726c2e67 6f646164
64792e63 6f6d2f67 6473312d 32382e63 726c304d 0603551d 20044630 44304206
0b608648 0186fd6d 01071701 30333031 06082b06 01050507 02011625 68747470
733a2f2f 63657274 732e676f 64616464 792e636f 6d2f7265 706f7369 746f7279
2f308180 06082b06 01050507 01010474 30723024 06082b06 01050507 30018618
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105
05073002 863e6874 74703a2f 2f636572 74696669 63617465 732e676f 64616464
792e636f 6d2f7265 706f7369 746f7279 2f67645f 696e7465 726d6564 69617465
2e637274 301f0603 551d2304 18301680 14fdac61 32936c45 d6e2ee85 5f9abae7
769968cc e7302d06 03551d11 04263024 82112a2e 6865616c 7468706f 696e742e
636f6d82 0f686561 6c746870 6f696e74 2e636f6d 301d0603 551d0e04 16041475
346fa066 c4b0cb48 a6aaf4d5 d03124fd 1babaf30 0d06092a 864886f7 0d010105
05000382 01010080 81fec403 103ecd08 88f17283 68154d3e 92da6355 58c50ea9
b6d2a2d1 86428614 44b3f27b ae00352d 0339f481 22d2bc3c 1f7a8458 495a337f
f939fa9d 76c9635c ac1f5452 8ec504ae 6c90dfc2 70e3b620 c34aedb3 12f8facd
ce45e918 af358576 b6711324 f5d53b62 77c2bb0d 6ff7a26c 1863c7fe eae6ee42
c1855066 e994db91 af755c47 b257545f ee29c6ab 57104a27 890f7f9c f95898c8
ed30eda7 9e86ebd4 c6007d3b 640e2312 3875410b 79ddff84 11454b83 7126ebbb
ce9c916a d5839e2b 095310e0 51e7e0cd d71c4830 ec1177c8 0407c147 afa2a33a
d058fa1b de4b2771 8af206c6 27e17249 1afbd515 d3f2845d a3699196 a9a7044c
5738a868 e01e59
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable external
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.5.0.0 255.255.0.0 internal
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.5.0.0 255.255.0.0 internal
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.5.65.242 source internal
ssl trust-point ASDM_TrustPoint0 external
webvpn
enable external
enable internal
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
anyconnect profiles HP_Basic disk0:/HP_Basic.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy HPVPN internal
group-policy HPVPN attributes
banner value You are now connected to Healthpoint, Ltd.
wins-server none
dns-server value 10.5.64.199 10.5.64.197
dhcp-network-scope none
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
ip-comp disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value hpb.net
split-dns none
split-tunnel-all-dns disable
user-authentication-idle-timeout none
address-pools value HPVPNClients
client-firewall none
client-access-rule none
webvpn
anyconnect keep-installer installed
anyconnect ssl compression none
anyconnect profiles value HP_Basic type user
anyconnect ask enable default anyconnect timeout 5
http-comp none
username bcline password Wpo.Polan03mKRJ9 encrypted privilege 15
username jhenry password wX50UveiwuBH7p7v encrypted privilege 15
username ittemp password zpQoWfp93rOS3NU7 encrypted privilege 5
tunnel-group HPVPN type remote-access
tunnel-group HPVPN general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuth
authentication-server-group (external) VPN-RADAuth
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPVPN webvpn-attributes
group-alias HPVPN enable
tunnel-group HPVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 64.126.222.190 type ipsec-l2l
tunnel-group 64.126.222.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 109.164.216.164 type ipsec-l2l
tunnel-group 109.164.216.164 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 12.197.232.98 type ipsec-l2l
tunnel-group 12.197.232.98 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB type remote-access
tunnel-group HPB general-attributes
address-pool HPVPNClients
authentication-server-group VPN-RADAuthHPB
authentication-server-group (external) VPN-RADAuthHPB
default-group-policy HPVPN
password-management password-expire-in-days 3
tunnel-group HPB webvpn-attributes
group-alias HPB disable
group-alias HPVPN_NEW enable
tunnel-group HPB ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HPB ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr
profile CiscoTAC-1
destination address
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f3c293700f62ee55af87105015fe4cd0
: endYou have to options:
1. The router that is internal must have a static route to the ASA to reach the VPN networks and must have a distribute static so that other routers that form part of EIGRP know how to route to the VPN networks.
2. You can configure on the ASA "set reverse-route" on the crypto map then configure EIGRP on the ASA and add redistribute static so that routes learned via VPN (considered static routes) can be pushed through EIGRP. -
Public-to-Public L2L VPN no return traffic
Hello all,
I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
ASA Version 8.2(5)
hostname ciscoasa
domain-name
names
name 10.10.9.3 VPN description VPN Server
name 10.10.9.4 IntranetMySQL description MySQL For Webserver
name 192.168.0.100 IIS_Webserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.9.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.***.***.162 255.255.255.0
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.9.1
domain-name
same-security-traffic permit inter-interface
object-group service VPN_TCP
description VPN TCP Connection
service-object tcp eq 1195
object-group service VPN_UDP
description VPN UDP Port
service-object udp eq 1194
object-group service VPN_HTTPS
description VPN HTTPS Web Server
service-object tcp eq 943
service-object udp eq 943
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service WebServer
service-object tcp eq 8001
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group service VPN_HTTPS_UDP udp
port-object eq 943
object-group service WCF_WebService tcp
port-object eq 808
object-group service RDP tcp
port-object eq 3389
object-group service RDP_UDP udp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq www
service-object tcp eq https
object-group service *_Apache tcp
port-object eq 8001
object-group service *_ApacheUDP udp
port-object eq 8001
object-group service IIS_SQL_Server tcp
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service File_Sharing tcp
port-object eq 445
object-group service File_Sharing_UDP udp
port-object eq 445
object-group service MySQL tcp
port-object eq 3306
object-group service Http_Claims_Portal tcp
port-object eq 8080
object-group service Http_Claims_PortalUDP udp
port-object eq 8080
object-group service RTR_Portal tcp
description Real Time Rating Portal
port-object eq 8081
object-group service RTR_PortalUDP udp
port-object eq 8081
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
access-list outside_access_in extended permit tcp any any eq 1195
access-list outside_access_in extended permit object-group VPN_HTTPS any any
access-list outside_access_in extended permit tcp any interface outside eq 943
access-list outside_access_in extended permit tcp any any eq 8001
access-list inside_access_in extended permit tcp any any
access-list outside_access_in_1 extended permit tcp any interface outside eq 943
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
access-list outside_access_in_2 extended permit icmp any any
access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
access-list outside_access_in_2 remark VPN TCP Ports
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
access-list outside_access_in_2 remark Palm Insure Apache Server
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
access-list outside_access_in_2 remark RTR Access rule for internal VMs
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
access-list inside_access_in_1 extended permit object-group TCPUDP any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit esp any any
access-list inside_access_in_1 extended permit udp any any eq isakmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.9.0 255.255.255.0
static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
static (inside,outside) interface access-list inside_nat_static
access-group inside_access_in_1 in interface inside
access-group outside_access_in_2 in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 20.20.60.193
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 20.20.60.193 type ipsec-l2l
tunnel-group 20.20.60.193 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi,
If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
static (inside,outside) interface access-list inside_nat_static
This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
Did you try the connectivity without the "static" configuration?
For ICMP testing I would add the command
fixup protocol icmp
or
policy-map global_policy
class inspection_default
inspect icmp
Should do the same thing
- Jouni -
I am using GNS3 to build a tunnel between an ASA and a router.
Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?
ciscoasa# sho running-config crypto
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto map SampleVPN 100 match address VPN_Traffic
crypto map SampleVPN 100 set peer 10.123.5.2
crypto map SampleVPN 100 set transform-set MySET
crypto map SampleVPN interface outside
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group VPN type ipsec-l2l
tunnel-group VPN ipsec-attributes
pre-shared-key 1234
R1#sho run | sec crypto
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1234 address 12.152.45.2 no-xauth
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
ip access-list extended VPN_Traffic
permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
crypto map VPN 100 ipsec-isakmp
set peer 12.152.45.2
set transform-set MySET
match address VPN_Traffic
interface f0/0
crypto map VPN
Here are the debugs from the router...
*Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
*Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
*Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
*Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
*Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
*Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
*Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
*Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.055: ISAKMP:(0)
R1#: processing vendor id payload
*Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
*Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
*Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*Feb 18 15:59:14.063: ISAKMP: encryption 3DES-CBC
*Feb 18 15:59:14.063: ISAKMP: hash MD5
*Feb 18 15:59:14.063: ISAKMP: default group 2
*Feb 18 15:59:14.063: ISAKMP: auth pre-share
*Feb 18 15:59:14.063: ISAKMP: life type in seconds
*Feb 18 15:59:14.067: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.071: ISAK
R1#
R1#MP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
R1#
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM3
*Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM3
R1#ping ip 12.123.15.2 source loo0
*Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
R1#ping ip 12.123.15.2 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
*Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
*Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
*Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
Success rate is 0 percent (0/5)
R1#
*Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
*Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
*Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.
*Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
*Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
R1#
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_DEST_SA
R1#
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
R1#
*Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26CHi,
when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.
Mashal -
ASA5505 L2L VPN does not function after move and reconfiguration
I have an ASA5505 that had multiple VPNs to both Cisco5505's and other Vendor security appliances. The one in question that moved to a new IP address checks out on isa sa, ipsec sa and nat, yet there is no communication accross the tunnel. This behavior is consistent accross all remote sites. The remote sites function normally. Below is the output with some show commands.
ASA Version 8.4(4)
hostname RitterBars
names
name 67.231.37.42 RitterLAB-ASA
name 67.231.37.45 RitterLAB-LB-WAN1
name 64.233.131.94 RitterLAB-LB-WAN3
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Port 7 on 9108
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan2
nameif CoreNetwork
security-level 0
ip address 172.20.10.22 255.255.255.128
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.85.0
subnet 192.168.85.0 255.255.255.0
object network obj-10.200.1.0
subnet 10.200.1.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-5922
service tcp source eq 5922
object network obj-192.168.1.10
host 192.168.1.10
object service obj-tcp-source-eq-5125
service tcp source eq 5125
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.119
host 192.168.1.119
object service obj-udp-source-eq-69
service udp source eq tftp
object network obj-192.168.1.51
host 192.168.1.51
object service obj-tcp-source-eq-443
service tcp source eq https
object service obj-tcp-source-eq-5980
service tcp source eq 5980
object network obj-192.168.1.114
host 192.168.1.114
object network obj-96.43.39.27
host 96.43.39.27
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object-group network Inside
network-object 192.168.1.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 10.200.1.0 255.255.255.0
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vnat extended permit ip 192.168.1.0 255.255.255.0 host 216.163.29.244
access-list out2in extended permit tcp host 64.233.128.6 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.2 eq ssh
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq 5125
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.10 eq www
access-list out2in extended permit udp 64.233.128.0 255.255.255.0 host 192.168.1.119 eq tftp
access-list out2in extended permit tcp 64.233.128.0 255.255.255.0 host 192.168.1.51 eq https
access-list out2in extended permit ip 64.233.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list out2in extended permit tcp any host 192.168.1.10 eq 5125
access-list out2in extended permit tcp any host 192.168.1.10 eq www
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp
access-list out2in extended permit tcp any 192.168.1.0 255.255.255.0 eq ftp-data
access-list out2in extended permit udp any host 192.168.1.119 eq tftp
access-list out2in extended permit tcp any host 192.168.1.51 eq https
access-list out2in extended permit icmp any any
pager lines 24
logging console alerts
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu CoreNetwork 1500
ip local pool vpn-pool 192.168.9.10-192.168.9.250
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
nat (inside,outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
nat (inside,outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
nat (inside,outside) source static obj-192.168.1.114 obj-96.43.39.27
nat (inside,CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-xxx.xxx.xxx.xxx obj-xxx.xxx.xxx.xxx
nat (inside,outside) source dynamic Inside interface
nat (inside,outside) after-auto source dynamic any interface
access-group out2in in interface outside
route CoreNetwork 172.20.30.0 255.255.255.248 172.20.10.1 1
route CoreNetwork 216.163.29.244 255.255.255.255 172.20.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set psset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map samap 1 match address VPN2LAB
crypto map samap 1 set peer RitterLAB-ASA
crypto map samap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map samap 2 match address Barracudalab
crypto map samap 2 set peer RitterLAB-LB-WAN1 RitterLAB-LB-WAN3
crypto map samap 2 set ikev1 transform-set ESP-3DES-SHA
crypto map samap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 64.233.128.10 64.233.128.11
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 66.187.233.4 source outside
ntp server 64.99.80.30 source outside
webvpn
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
username xxx.xxx.xxx.xxx password xxx.xxx.xxx.xxx encrypted privilege 15
username xxx.xxx.xxx.xxx attributes
vpn-group-policy WebVPNpolicy
tunnel-group 67.231.37.42 type ipsec-l2l
tunnel-group 67.231.37.42 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 67.231.37.45 type ipsec-l2l
tunnel-group 67.231.37.45 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
tunnel-group 64.233.131.94 type ipsec-l2l
tunnel-group 64.233.131.94 ipsec-attributes
ikev1 pre-shared-key xxx.xxx.xxx.xxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect ip-options
inspect tftp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bcdf7281cbf323ff6af7457149529a5b
: end
RitterBars# sh isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 67.231.37.45
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 67.231.37.42
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RitterBars# sh ipsec sa
interface: outside
Crypto map tag: samap, seq num: 1, local addr: 96.43.41.168
access-list VPN2LAB extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.85.0/255.255.255.0/0/0)
current_peer: 67.231.37.42
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.42/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6F98A015
current inbound spi : 6DD466F0
inbound esp sas:
spi: 0x6DD466F0 (1842636528)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4374000/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F98A015 (1872273429)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1122304, crypto-map: samap
sa timing: remaining key lifetime (kB/sec): (4373999/28182)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: samap, seq num: 2, local addr: 96.43.41.168
access-list Barracudalab extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 67.231.37.45
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.43.41.168/0, remote crypto endpt.: 67.231.37.45/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 51AF17EA
current inbound spi : 859BC586
inbound esp sas:
spi: 0x859BC586 (2241578374)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x51AF17EA (1370429418)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1118208, crypto-map: samap
sa timing: remaining key lifetime (sec): 28152
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RitterBars# sh nat int inside
Manual NAT Policies (Section 1)
1 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.9.0 obj-192.168.9.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.85.0 obj-192.168.85.0 no-proxy-arp
translate_hits = 18, untranslate_hits = 0
3 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.200.1.0 obj-10.200.1.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static obj-192.168.1.2 interface service obj-tcp-source-eq-22 obj-tcp-source-eq-5922
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-5125 obj-tcp-source-eq-5125
translate_hits = 0, untranslate_hits = 9094
7 (inside) to (outside) source static obj-192.168.1.10 interface service obj-tcp-source-eq-80 obj-tcp-source-eq-80
translate_hits = 0, untranslate_hits = 126
8 (inside) to (outside) source static obj-192.168.1.119 interface service obj-udp-source-eq-69 obj-udp-source-eq-69
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static obj-192.168.1.51 interface service obj-tcp-source-eq-443 obj-tcp-source-eq-5980
translate_hits = 0, untranslate_hits = 195
10 (inside) to (outside) source static obj-192.168.1.114 obj-96.43.39.27
translate_hits = 0, untranslate_hits = 0
11 (inside) to (CoreNetwork) source dynamic obj-192.168.1.0 interface destination static obj-216.163.29.244 obj-216.163.29.244
translate_hits = 107, untranslate_hits = 0
12 (inside) to (outside) source dynamic Inside interface
translate_hits = 35387, untranslate_hits = 2940
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 291, untranslate_hits = 78I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
http://www.dslreports.com/forum/r19559467-How-To-MI424WR-Network-Bridge-working-FIOS-TV
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea. -
Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni
Maybe you are looking for
-
Everytime I would listen to my recorded voice notes and play it back or backtrack (using the progress bar), if i do it multiple times, a white screen would appear with really small writing (cant even make out what it says) then reboots my blackberry
-
Can I install nvidia quadro 600/ AMD FirePro V4900 (ATI FireGL) on HPE h8-1220t ?
HP/Nvidia Quadro 600 graphics card hangs w/ blue hp startp screen after installation into HPE h8-1220t. Error: After installation and startup, just it sounds a 'beep' and after a minute, it beeps again. No further progess w/ HP blue screen. Notes: C
-
This is my review based on my experiences that i have had with my DV5. I would like to start off by stating DO NOT PURCHASE THIS LAPTOP or any laptop as a matter of fact in the Pavilion line-up. When i first purchased this laptop from future shop in
-
For most file types (exe, zip, pdf, doc, xls, etc.) the option to "do this automatically from now on" is greyed out, and for the few types of files where I can check the box, a bug prevents it from working. Similarly, Firefox cannot seem to handle *n
-
Where do I find setup assistant in Mavericks?
I did a clean istall with Mavericks and now time machine doesn't access any time prior to install. Possibly setup assistant will access this but I can't find it to launch it. Mid 2011 iMac 27" 8GB Ram OS X 10.9 external iomega HD 1 terabyte for Time