Level 15 authorization on Cisco ASA
I use tacacs+ for AAA in my Enterprise. On my ACSv4.1, I have created a user with privilege level 15. On every Switch in my enterpirse the user on authentication, directly goes to privilege mode (because he is level 15). But on ASA (ver 8.0) he is always prompted for an enable password.
Is there any method to directly go to the privilege mode on the ASA?
I could not find any aaa authorization commands to do this in an ASA.
Thanks in advance.
Jenny, this is how the ASA works. This feature was never implemented on the ASA in the same way it was done on the IOS platform.
Regards
Farrukh
Similar Messages
-
Hi All
I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Finance
Accounts
HR
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and RegardsHello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer -
L2TP on Cisco ASA 5505, just doesn't work??!
This is pretty urgent, client expects me to have this up by lunch today
So, there is this Cisco ASA 5505 ver 8.4.
Most things work but now I want to setup a vpn connection...
I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli.
And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that)
Googling on those gives a few suggestions none works.
All I get in the log on Cisco is the "Error processing payload: Payload ID: 1"
Googling on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...)
For the cli config, I followed this tutorial carefully (3 times actually...)
http://www.cisco.com/en/US/docs/secu...html#wp1117464
I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue.
Ports opened on Cisco: 500, 1701, 4500
(For a try I opened all ports, no change.)
And here's the "show run":
Code:
ASA Version 8.4(2)
hostname ciscoasa
enable password <string> encrypted
passwd <string> encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address #.#.#.# 255.255.255.252
interface Vlan7
description VLAN till kontor
no forward interface Vlan2
nameif kontor
security-level 100
ip address 172.16.5.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.5.2
object network Webserver443
host 192.168.5.2
object network rdp
host 192.168.5.2
object network vpnserver
host 192.168.5.2
object service vpn-service-group
object network VPN
host 192.168.5.2
object-group service Webports tcp-udp
description Portar för webbserver
port-object eq 443
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object Webports
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPNports tcp-udp
port-object eq 1701
port-object eq 4500
port-object eq 500
object-group service RDP tcp-udp
port-object eq 3389
object-group service vpn-services tcp-udp
port-object eq 1701
port-object eq 500
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object Webserver object-group DM_INLINE_TCP_1
access-list outside_access_in_1 remark Ãppnar för vpn
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group VPNports
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu kontor 1500
ip local pool vpn1 10.10.10.10-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp www www
object network Webserver443
nat (inside,outside) static interface service tcp https https
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 79.142.243.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
.... (sorry, not giving you the cert...)
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2 1
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
l2tp tunnel hello 100
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.5.11-192.168.5.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
address-pools value vpn1
group-policy DfltGrpPolicy attributes
dns-server value 79.142.240.10
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn1
username test password <string> nt-encrypted
username someoneelse password <string> nt-encrypted privilege 15
username someoneelse attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
service-type admin
username someone password <string> nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group vpn1 type remote-access
tunnel-group vpn1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd92aa6707dc63e8ed7dad47cfecdd47
: end
In Pingvino Veritas!I lmost got it working now, new problem is that the connection is immediately ended.
Logs shows that client is authenticated and assigned an ip.
From the logs, all happens during one second:
IPAA: Client assigned ip-address from local pool
IPAA: Local pool request succeeded for tunnel-group
IPAA: Freeing local pool address
L2TP Tunnel created, tunnel_id is 24
L2TP Tunnel deleted, tunnel_id =24
IPSEC: An outbound remote access SA has been deleted
IPSEC: An inbound remote access SA has been deleted
Session is being torn down. Reason: L2TP initiated
Teardown UDP connection -
S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across
Hi,
I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170. I have checked the screenshots proivded by the other end and tried to match with ours. The Tunnel shows but we are not able to Ping resources on the other end. The other side insists that the problem is on our end but I am not sure where the issue resides. Please take a look at our config and let me know if there is anything that I have missed. I am pretty sure I didn't but extra eyes may be of need here.
Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
ASA Version 8.2(2)
terminal width 300
hostname company-asa
domain-name Company.com
no names
name 10.1.0.0 sacramento-network
name 10.3.0.0 irvine-network
name 10.2.0.0 portland-network
name x.x.x.x MailLive
name 192.168.9.0 revit-vpn-remote-subnet
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.128
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.0.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.22.22.1 255.255.255.0
interface Ethernet0/3
description Internal Wireless
shutdown
nameif Wireless
security-level 100
ip address 10.201.201.1 255.255.255.0
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local_net_group
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.200.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 192.168.200.0 255.255.255.0
object-group network NACIO123
network-object 1.1.1.1 255.255.255.224
object-group service MAIL_HTTPS_BORDERWARE tcp
port-object eq smtp
port-object eq https
port-object eq 10101
object-group service SYSLOG_SNMP_NETFLOW udp
port-object eq syslog
port-object eq snmp
port-object eq 2055
object-group service HTTP_HTTPS tcp
port-object eq www
port-object eq https
object-group network OUTSIDECO_SERVERS
network-object host x.x.x.34
network-object host x.x.x.201
network-object host x.x.x.63
object-group network NO-LOG
network-object host 10.200.200.13
network-object host 10.200.200.25
network-object host 10.200.200.32
object-group service iPhoneSync-Services-TCP tcp
port-object eq 993
port-object eq 990
port-object eq 998
port-object eq 5678
port-object eq 5721
port-object eq 26675
object-group service termserv tcp
description terminal services
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DTI tcp
description DCS CONTROL PROTOCOL
port-object eq 3333
object-group service H.245 tcp
description h.245 signaling
port-object range 1024 4999
object-group service RAS udp
port-object eq 1719
port-object range 1718 1720
object-group service XML tcp
port-object range 3336 3341
object-group service mpi tcp
port-object eq 2010
object-group service mvp_control tcp
port-object eq 2946
object-group service rpc tcp-udp
port-object eq 1809
object-group service tcp8080 tcp
port-object eq 8080
object-group service tcp8011 tcp
port-object eq 8011
object-group service rtp_rtcp_udp udp
port-object range 1024 65535
object-group service ecs_xml tcp-udp
port-object eq 3271
object-group service rtp20000 udp
description 10000-65535
port-object range 20000 25000
port-object range 10000 65535
object-group service tcp5222 tcp
port-object range 5222 5269
object-group service tcp7070 tcp
port-object eq 7070
object-group network videoco
network-object host x.x.x.144
network-object host x.x.x.145
object-group service video tcp
port-object range 1718 h323
object-group service XML2 tcp-udp
port-object range 3336 3345
object-group service tcp_tls tcp
port-object eq 5061
object-group service Autodesk tcp
port-object eq 2080
port-object range 27000 27009
access-list outside_policy remark ====== Begin Mail From Postini Network ======
access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Mail From Postini Network ******
access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
access-list outside_policy remark ****** End Inbound Web Mail Access ******
access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
access-list outside_policy remark ====== Begin MARS Monitoring ======
access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
access-list outside_policy remark ****** End MARS Monitoring ******
access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
access-list outside_policy extended permit tcp any host x.x.x.x eq www
access-list outside_policy extended permit tcp any host x.x.x.x eq https
access-list outside_policy extended permit tcp any host x.x.x.x eq h323
access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
access-list outside_policy remark radvision 5110 port 80 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
access-list outside_policy remark radvision
access-list outside_policy extended permit tcp any object-group videoco object-group termserv
access-list outside_policy remark radvision 5110 port21 out
access-list outside_policy extended permit tcp any object-group videoco eq ftp
access-list outside_policy remark rad5110 port22 both
access-list outside_policy extended permit tcp any object-group videoco eq ssh
access-list outside_policy remark rad 5110 port161 udp both
access-list outside_policy extended permit udp any object-group videoco eq snmp
access-list outside_policy remark rad5110 port443 both
access-list outside_policy extended permit tcp any object-group videoco eq https
access-list outside_policy remark rad5110 port 1024-4999 both
access-list outside_policy extended permit tcp any object-group videoco object-group H.245
access-list outside_policy remark rad5110 port 1719 udp both
access-list outside_policy extended permit udp any object-group videoco object-group RAS
access-list outside_policy remark rad5110 port 1720 both
access-list outside_policy extended permit tcp any any eq h323
access-list outside_policy remark RAD 5110 port 3333 tcp both
access-list outside_policy extended permit tcp any object-group videoco object-group DTI
access-list outside_policy remark rad5110 port 3336-3341 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
access-list outside_policy remark port 5060 tcp/udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
access-list outside_policy remark rad 5110port 1809 rpc both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
access-list outside_policy remark rad 5110 port 2010 both
access-list outside_policy extended permit tcp any object-group videoco object-group mpi
access-list outside_policy remark rad 5110 port 2946 both
access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
access-list outside_policy remark 1024-65535
access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
access-list outside_policy extended permit tcp any object-group videoco eq telnet
access-list outside_policy remark port 53 dns
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
access-list outside_policy remark 7070
access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
access-list outside_policy remark 5222-5269 tcp
access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
access-list outside_policy extended permit tcp any object-group videoco object-group video
access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
access-list outside_policy remark ====== Begin Autodesk Activation access ======
access-list outside_policy extended permit tcp any any object-group Autodesk
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
access-list inside_policy remark ****** End Outbound Mail Server Rules ******
access-list inside_policy extended permit ip object-group local_net_group any
access-list inside_policy extended permit icmp object-group local_net_group any
access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
access-list company-split-tunnel remark Video
access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
access-list SSL_SPLIT remark Video
access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list tom extended permit tcp host x.x.x.x any eq smtp
access-list tom extended permit tcp host 10.200.200.222 any eq smtp
access-list tom extended permit tcp any host x.x.x.x
access-list aaron extended permit tcp any any eq 2967
access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
access-list DMZ extended permit icmp any any
access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in remark rad5110 port 162 out
access-list dmz_access_in extended permit udp any any eq snmptrap
access-list dmz_access_in remark port 23 out
access-list dmz_access_in extended permit tcp any any eq telnet
access-list dmz_access_in remark port 53 dns out
access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit tcp any any eq h323
access-list dmz_access_in extended permit tcp any any object-group XML
access-list dmz_access_in extended permit udp any any object-group RAS
access-list dmz_access_in extended permit tcp any any range 1718 h323
access-list dmz_access_in extended permit tcp any any object-group H.245
access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
access-list dmz_access_in extended permit ip object-group local_net_group any
access-list dmz_access_in remark port 5061
access-list dmz_access_in extended permit tcp any any object-group tcp_tls
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging trap informational
logging history informational
logging asdm warnings
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Wireless 1500
mtu management 1500
ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
access-group outside_policy in interface outside
access-group inside_policy in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server COMPANY-NT-AUTH protocol nt
aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
nt-auth-domain-controller DC
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.200.200.0 255.255.255.0 inside
http 10.200.0.0 255.255.0.0 inside
http 10.3.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 5 match address outside_cryptomap
crypto map OUTSIDE_MAP 5 set pfs
crypto map OUTSIDE_MAP 5 set peer x.x.x.53
crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
crypto map OUTSIDE_MAP 10 set peer x.x.x.25
crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 10.200.200.220 10.200.200.225
dhcpd wins 10.200.200.220 10.200.200.225
dhcpd lease 18000
dhcpd domain company.com
dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
dhcpd lease 18000 interface Wireless
dhcpd domain company.com interface Wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside prefer
ssl trust-point vpn.company.com outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
wins-server value 10.200.200.220
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
webvpn
sso-server none
auto-signon allow uri * auth-type all
group-policy no-split-test internal
group-policy no-split-test attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value company.com
group-policy DfltGrpPolicy attributes
dns-server value 10.200.200.220
default-domain value company.com
group-policy company internal
group-policy company attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH
default-group-policy SSL_Client_Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias company_SSL_VPN enable
tunnel-group company_group type remote-access
tunnel-group company_group general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH LOCAL
default-group-policy company
tunnel-group company_group ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.53 type ipsec-l2l
tunnel-group x.x.x.53 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect tftp
inspect esmtp
inspect ftp
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect sip
service-policy global_policy global
privilege cmd level 5 mode exec command ping
privilege cmd level 6 mode exec command write
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command conn
privilege show level 5 mode exec command memory
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command xlate
privilege show level 5 mode exec command traffic
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command failover
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command blocks
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
: end
COMPANY-asa#Hi Sian,
Yes on their end the PFS is enabled for DH Group 2.
Here is the information that you requested:
company-asa# sh crypto isakmp sa
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: x.x.x.87
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.53
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
3 IKE Peer: x.x.x.25
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
company-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
current_peer: x.x.x.53
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 500EC8BF
current inbound spi : 8DAE3436
inbound esp sas:
spi: 0x8DAE3436 (2377004086)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3914946/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x500EC8BF (1343146175)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
current_peer: x.x.x.87, username: ewebb
dynamic allocated peer ip: 172.20.20.8
#pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
#pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2D712C9F
current inbound spi : 0EDB79C8
inbound esp sas:
spi: 0x0EDB79C8 (249264584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18262
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2D712C9F (762391711)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18261
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510
Hi Friends,
I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
Error in CISCO VPN Client Software:
Secure VPN Connection Terminated locally by the client.
Reason : 414 : Failed to establish a TCP connection.
Error in CISCO ASA 5510
%ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
ASA Configuration:
XYZ# sh run
: Saved
ASA Version 8.4(4)
hostname XYZ
domain-name XYZ
enable password 3uLkVc9JwRA1/OXb level 3 encrypted
enable password R/x90UjisGVJVlh2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif outside_rim
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet0/1
duplex full
nameif XYZ_DMZ
security-level 50
ip address 172.1.1.1 255.255.255.248
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.252
interface Ethernet0/3
speed 100
duplex full
nameif inside
security-level 100
ip address 3.3.3.3 255.255.255.224
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa844-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XYZ
object network obj-172.17.10.3
host 172.17.10.3
object network obj-10.1.134.0
subnet 10.1.134.0 255.255.255.0
object network obj-208.75.237.0
subnet 208.75.237.0 255.255.255.0
object network obj-10.7.0.0
subnet 10.7.0.0 255.255.0.0
object network obj-172.17.2.0
subnet 172.17.2.0 255.255.255.0
object network obj-172.17.3.0
subnet 172.17.3.0 255.255.255.0
object network obj-172.19.2.0
subnet 172.19.2.0 255.255.255.0
object network obj-172.19.3.0
subnet 172.19.3.0 255.255.255.0
object network obj-172.19.7.0
subnet 172.19.7.0 255.255.255.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj-10.3.0.0
subnet 10.3.0.0 255.255.0.0
object network obj-10.4.0.0
subnet 10.4.0.0 255.255.0.0
object network obj-10.6.0.0
subnet 10.6.0.0 255.255.0.0
object network obj-10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network obj-10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network obj-10.12.0.0
subnet 10.12.0.0 255.255.0.0
object network obj-172.19.1.0
subnet 172.19.1.0 255.255.255.0
object network obj-172.21.2.0
subnet 172.21.2.0 255.255.255.0
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.255.0
object network obj-10.19.130.201
host 10.19.130.201
object network obj-172.30.2.0
subnet 172.30.2.0 255.255.255.0
object network obj-172.30.3.0
subnet 172.30.3.0 255.255.255.0
object network obj-172.30.7.0
subnet 172.30.7.0 255.255.255.0
object network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network obj-10.19.130.0
subnet 10.19.130.0 255.255.255.0
object network obj-XXXXXXXX
host XXXXXXXX
object network obj-145.248.194.0
subnet 145.248.194.0 255.255.255.0
object network obj-10.1.134.100
host 10.1.134.100
object network obj-10.9.124.100
host 10.9.124.100
object network obj-10.1.134.101
host 10.1.134.101
object network obj-10.9.124.101
host 10.9.124.101
object network obj-10.1.134.102
host 10.1.134.102
object network obj-10.9.124.102
host 10.9.124.102
object network obj-115.111.99.133
host 115.111.99.133
object network obj-10.8.108.0
subnet 10.8.108.0 255.255.255.0
object network obj-115.111.99.129
host 115.111.99.129
object network obj-195.254.159.133
host 195.254.159.133
object network obj-195.254.158.136
host 195.254.158.136
object network obj-209.164.192.0
subnet 209.164.192.0 255.255.224.0
object network obj-209.164.208.19
host 209.164.208.19
object network obj-209.164.192.126
host 209.164.192.126
object network obj-10.8.100.128
subnet 10.8.100.128 255.255.255.128
object network obj-115.111.99.130
host 115.111.99.130
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-115.111.99.132
host 115.111.99.132
object network obj-10.10.1.45
host 10.10.1.45
object network obj-10.99.132.0
subnet 10.99.132.0 255.255.255.0
object-group network Serversubnet
network-object 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
object-group network XYZ_destinations
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 172.19.1.0 255.255.255.0
network-object 172.19.2.0 255.255.255.0
network-object 172.19.3.0 255.255.255.0
network-object 172.19.7.0 255.255.255.0
network-object 172.17.2.0 255.255.255.0
network-object 172.17.3.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object host 10.50.2.206
object-group network XYZ_us_admin
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
object-group network XYZ_blr_networkdevices
network-object 10.200.10.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
access-list acl-outside extended permit ip any host 172.17.10.3
access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
access-list acl-outside extended permit tcp any any eq 10000
access-list acl-outside extended deny ip any any log
pager lines 10
logging enable
logging buffered debugging
mtu outside_rim 1500
mtu XYZ_DMZ 1500
mtu outside 1500
mtu inside 1500
ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
nat (inside,outside) source dynamic obj-10.8.108.0 interface
nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
object network obj-172.17.10.3
nat (XYZ_DMZ,outside) static 115.111.99.134
access-group acl-outside in interface outside
route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
crypto dynamic-map dyn1 1 set reverse-route
crypto map vpn 1 match address XYZ
crypto map vpn 1 set peer XYZ Peer IP
crypto map vpn 1 set ikev1 transform-set vpn1
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set security-association lifetime kilobytes 4608000
crypto map vpn 2 match address NE
crypto map vpn 2 set peer NE_Peer IP
crypto map vpn 2 set ikev1 transform-set vpn2
crypto map vpn 2 set security-association lifetime seconds 3600
crypto map vpn 2 set security-association lifetime kilobytes 4608000
crypto map vpn 4 match address ML_VPN
crypto map vpn 4 set pfs
crypto map vpn 4 set peer ML_Peer IP
crypto map vpn 4 set ikev1 transform-set vpn4
crypto map vpn 4 set security-association lifetime seconds 3600
crypto map vpn 4 set security-association lifetime kilobytes 4608000
crypto map vpn 5 match address XYZ_global
crypto map vpn 5 set peer XYZ_globa_Peer IP
crypto map vpn 5 set ikev1 transform-set vpn5
crypto map vpn 5 set security-association lifetime seconds 3600
crypto map vpn 5 set security-association lifetime kilobytes 4608000
crypto map vpn 6 match address Da_VPN
crypto map vpn 6 set peer Da_VPN_Peer IP
crypto map vpn 6 set ikev1 transform-set vpn6
crypto map vpn 6 set security-association lifetime seconds 3600
crypto map vpn 6 set security-association lifetime kilobytes 4608000
crypto map vpn 7 match address Da_Pd_VPN
crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
crypto map vpn 7 set ikev1 transform-set vpn6
crypto map vpn 7 set security-association lifetime seconds 3600
crypto map vpn 7 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside
crypto map vpn_reliance 1 match address XYZ_rim
crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
crypto map vpn_reliance 1 set security-association lifetime seconds 3600
crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
crypto map vpn_reliance interface outside_rim
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside_rim
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28000
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.8.100.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy XYZ_c2s_vpn internal
username testadmin password oFJjANE3QKoA206w encrypted
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group XYZ_c2s_vpn type remote-access
tunnel-group XYZ_c2s_vpn general-attributes
address-pool XYZ_c2s_vpn_pool
tunnel-group XYZ_c2s_vpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
service-policy global_policy global
privilege show level 3 mode exec command running-config
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command crypto
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
XYZ#Thanks Javier.
But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
access-list ACL-RA-SPLIT standard permit host 10.10.1.3
access-list ACL-RA-SPLIT standard permit host 10.10.1.13
access-list ACL-RA-SPLIT standard permit host 10.91.130.201
access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key sekretk3y
username ra-user1 password passw0rd1 priv 1
group-policy CO-C2S internal
group-policy CO-C2S attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list vlauel ACL-RA-SPLIT
dns-server value 10.10.1.3
tunnel-group TUN-RA-SPLIT type remote-access
tunnel-group TUN-RA-SPLIT general-attributes
default-group-policy CO-C2S
address-pool CO-C2S-VPOOL
tunnel-group TUN-RA-SPLIT ipsec-attributes
pre-shared-key *********
username ******* password ******** priv 1
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set 3DES
crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
crypto map vpn interface outside
crypto isakmp identify address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encr 3des
hash sha
group 1
lifetime 3600 -
Internet Connection Became Slow after Introduction of Cisco ASA 5505 to the Network
I configured a Cisco ASA 5505 (Version Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
in transparent firewall mode and inserted after Cisco 1700 router. However, the internet connection became very slow and users are compaining that they cannot load any pages.
My setup looks like:
Internet --> Cisco 1700 --> Cisco ASA 5505 --> LAN
The license information is:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
The flash activation key is the SAME as the running key.
My running-config looks like:
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Vlan1
nameif inside
security-level 100
no shut
interface Vlan2
nameif outside
security-level 0
no shut
interface Ethernet0/0
switchport access vlan 2
no shut
interface Ethernet0/1
no shut
interface Ethernet0/2
no shut
interface Ethernet0/3
no shut
interface Ethernet0/4
no shut
interface Ethernet0/5
no shut
interface Ethernet0/6
no shut
interface Ethernet0/7
no shut
passwd 2KFQnbNIdI.2KYOU encrypted
regex urllist1 ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*\.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*\.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*\.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.diretube\.com"
regex domainlist3 "\.youtube\.com"
regex domainlist4 "\.vimeo\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_in extended permit ip any any
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
match regex domainlist4
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map type regex match-any URLBlockList
match regex urllist1
match regex urllist2
match regex urllist3
match regex urllist4
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
class-map type inspect http match-all BlockURLsClass
match request uri regex class URLBlockList
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class AppHeaderClass
drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:8ab1a53df6ae3c202aee236d6080edfd
: end
Could the slow internet connection be due to license limitations? Or is there something wrong with my configuration?
Please see the configuration and help.
ThanksI have re-configured the ASA 5505 yesterday and so far it's working fine. I am not sure if the problem will re-appear later on. Anyways here is my sh tech-support
ciscoasa# sh tech-support
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 14 hours 16 mins
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001f.9ee8.ffa2, irq 11
1: Ext: Ethernet0/0 : address is 001f.9ee8.ff9a, irq 255
2: Ext: Ethernet0/1 : address is 001f.9ee8.ff9b, irq 255
3: Ext: Ethernet0/2 : address is 001f.9ee8.ff9c, irq 255
4: Ext: Ethernet0/3 : address is 001f.9ee8.ff9d, irq 255
5: Ext: Ethernet0/4 : address is 001f.9ee8.ff9e, irq 255
6: Ext: Ethernet0/5 : address is 001f.9ee8.ff9f, irq 255
<--- More --->
7: Ext: Ethernet0/6 : address is 001f.9ee8.ffa0, irq 255
8: Ext: Ethernet0/7 : address is 001f.9ee8.ffa1, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: JMX1211Z2N4
Running Activation Key: 0xaf0ed046 0xbcf18ebf 0x80b38508 0xba785cc0 0x05250493
Configuration register is 0x1
Configuration has not been modified since last system restart.
<--- More --->
------------------ show clock ------------------
18:32:58.254 UTC Tue Nov 26 2013
------------------ show memory ------------------
Free memory: 199837144 bytes (74%)
Used memory: 68598312 bytes (26%)
Total memory: 268435456 bytes (100%)
------------------ show conn count ------------------
1041 in use, 2469 most used
------------------ show xlate count ------------------
0 in use, 0 most used
------------------ show blocks ------------------
SIZE MAX LOW CNT
0 100 68 100
<--- More --->
4 300 299 299
80 100 92 100
256 100 94 100
1550 6174 6166 6174
2048 1124 551 612
------------------ show blocks queue history detail ------------------
History buffer memory usage: 2136 bytes (default)
------------------ show interface ------------------
Interface Internal-Data0/0 "", is up, line protocol is up
Hardware is y88acs06, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 001f.9ee8.ffa2, MTU not set
IP address unassigned
18491855 packets input, 11769262614 bytes, 0 no buffer
Received 213772 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops, 0 demux drops
18185861 packets output, 11626494317 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
<--- More --->
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/55) software (0/0)
Control Point Interface States:
Interface number is unassigned
Interface Internal-Data0/1 "", is administratively down, line protocol is up
Hardware is 88E6095, BW 1000 Mbps
(Full-duplex), (1000 Mbps)
MAC address 0000.0003.0002, MTU not set
IP address unassigned
18184216 packets input, 11625360131 bytes, 0 no buffer
Received 206655 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 switch ingress policy drops
18490057 packets output, 11768078777 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Loopback0 "_internal_loopback", is up, line protocol is up
Hardware is VirtualMAC address 0000.0000.0000, MTU 1500
IP address 127.1.0.1, subnet mask 255.255.0.0
<--- More --->
Traffic Statistics for "_internal_loopback":
1 packets input, 28 bytes
1 packets output, 28 bytes
1 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 28
Interface config status is active
Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa2, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "inside":
7742275 packets input, 903584114 bytes
10645034 packets output, 10347291114 bytes
184883 packets dropped
1 minute input rate 320 pkts/sec, 35404 bytes/sec
1 minute output rate 325 pkts/sec, 313317 bytes/sec
<--- More --->
1 minute drop rate, 17 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
Control Point Interface States:
Interface number is 1
Interface config status is active
Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001f.9ee8.ffa3, MTU 1500
IP address 192.168.1.254, subnet mask 255.255.255.0
Traffic Statistics for "outside":
10750090 packets input, 10432619059 bytes
7541331 packets output, 870613684 bytes
109911 packets dropped
1 minute input rate 328 pkts/sec, 313770 bytes/sec
1 minute output rate 301 pkts/sec, 32459 bytes/sec
1 minute drop rate, 2 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
Control Point Interface States:
Interface number is 2
<--- More --->
Interface config status is active
Interface state is active
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001f.9ee8.ff9a, MTU not set
IP address unassigned
10749794 packets input, 10630700889 bytes, 0 no buffer
Received 2506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3 switch ingress policy drops
7541070 packets output, 1028190148 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
<--- More --->
Available but not configured via nameif
MAC address 001f.9ee8.ff9b, MTU not set
IP address unassigned
7741977 packets input, 1064586806 bytes, 0 no buffer
Received 211282 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
10644663 packets output, 10543362751 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/2 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9c, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
<--- More --->
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/3 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9d, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
<--- More --->
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/4 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9e, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
<--- More --->
Interface number is unassigned
Interface Ethernet0/5 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ff9f, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/6 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
<--- More --->
MAC address 001f.9ee8.ffa0, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
Interface Ethernet0/7 "", is down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001f.9ee8.ffa1, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
<--- More --->
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Control Point Interface States:
Interface number is unassigned
------------------ show cpu usage ------------------
CPU utilization for 5 seconds = 12%; 1 minute: 11%; 5 minutes: 11%
------------------ show cpu hogging process ------------------
Process: Dispatch Unit, NUMHOG: 1, MAXHOG: 133, LASTHOG: 140
LASTHOG At: 04:45:59 UTC Nov 26 2013
PC: 8be0f7
Traceback: 8bed19 8bf553 302b87 3030a5 2fad69 7674bf 75ca16
c6251d c62a4c c62f6c 75c653 767820 797f64 769c85
<--- More --->
------------------ show process ------------------
PC SP STATE Runtime SBASE Stack Process
Mwe 00c9bb24 01bb8700 013e3250 0 01733fc8 15616/16384 emweb/cifs
Lwe 001072ac 0176f9c4 013e32d0 0 0176d9f0 8132/8192 block_diag
Mrd 00223a67 01783d5c 013e33b0 314854 0177be18 25752/32768 Dispatch Unit
Msi 00f82847 01b07b84 013e3250 229 01b05bc0 7984/8192 y88acs06 OneSec Thread
Mwe 0011b1a5 01b09cfc 013e3250 0 01b07d88 7864/8192 Reload Control Thread
Mwe 00120606 01b1260c 013e5258 0 01b10988 7256/8192 aaa
Mwe 001486aa 01b19404 013e5ae8 0 01b15450 16020/16384 CMGR Server Process
Mwe 0014c3c5 01b1b4d4 013e3250 0 01b19570 7968/8192 CMGR Timer Process
Lwe 002227a1 01b239b4 013ee360 0 01b219f0 7524/8192 dbgtrace
Mwe 004e1ba5 01b29c34 013e3250 157 01b27d50 6436/8192 eswilp_svi_init
Mwe 01064b1d 01b4a7f4 013e3250 0 01b48890 7848/8192 Chunk Manager
Msi 008b61b6 01b52d54 013e3250 230 01b50da0 7856/8192 PIX Garbage Collector
Lsi 00ecb6ac 01b54e94 013e3250 12 01b52ec0 7552/8192 route_process
Mwe 008a5ddc 01b5dc04 0133b430 0 01b5bc40 8116/8192 IP Address Assign
Mwe 00acb779 01b60604 01346e10 0 01b5e640 8116/8192 QoS Support Module
Mwe 0091eba9 01b6275c 0133c530 0 01b60798 8116/8192 Client Update Task
Lwe 01083c8e 01b656d4 013e3250 123088 01b63770 7840/8192 Checkheaps
Mwe 00acfd7d 01b6b824 013e3250 623 01b69ad0 3476/8192 Quack process
Mwe 00b2a260 01b6dad4 013e3250 22 01b6bbf0 7364/8192 Session Manager
Mwe 00c55efd 01b78564 031d0478 4 01b74a50 14768/16384 uauth
<--- More --->
Mwe 00be3c9e 01b7aaec 0135c010 0 01b78b28 7524/8192 Uauth_Proxy
Mwe 00c52759 01b80e0c 01361770 0 01b7ee88 7712/8192 SMTP
Mwe 00c3f7b9 01b82eec 01361710 0 01b80fa8 7412/8192 Logger
Mwe 00c3fd26 01b8502c 013e3250 0 01b830c8 7492/8192 Thread Logger
Mwe 00f62272 01b9596c 013ac520 0 01b939c8 7188/8192 vpnlb_thread
Msi 00b4097c 01c598c4 013e3250 190 01c578f0 8000/8192 emweb/cifs_timer
Msi 005bd338 017a909c 013e3250 25855 017a7108 7412/8192 arp_timer
Mwe 005c76bc 01b486e4 013fba50 20643 01b46770 7348/8192 arp_forward_thread
Mwe 00c5a919 023fa5fc 013619e0 0 023f8648 7968/8192 tcp_fast
Mwe 00c5a6e5 023fc624 013619e0 0 023fa670 7968/8192 tcp_slow
Mwe 00c754d1 0240d42c 013628a0 0 0240b478 8100/8192 udp_timer
Mwe 0019cb17 01b404a4 013e3250 0 01b3e530 7984/8192 CTCP Timer process
Mwe 00efe8b3 0308c15c 013e3250 0 0308a208 7952/8192 L2TP data daemon
Mwe 00efef23 0308e194 013e3250 0 0308c230 7968/8192 L2TP mgmt daemon
Mwe 00eea02b 030c62ac 013a5c10 43 030c2338 16244/16384 ppp_timer_thread
Msi 00f62d57 030c82f4 013e3250 264 030c6360 7924/8192 vpnlb_timer_thread
Mwe 001b96e6 01b7cbbc 01b1e9c8 1 01b7ac48 7728/8192 IPsec message handler
Msi 001c9bac 01b8d4dc 013e3250 2917 01b8b548 7648/8192 CTM message handler
Mwe 00af93b8 031465b4 013e3250 0 03144640 7984/8192 ICMP event handler
Mwe 00831003 0314a724 013e3250 387 031467b0 16100/16384 IP Background
Mwe 0021b267 031a83c4 013123c0 31 03188450 123488/131072 tmatch compile thread
Mwe 009f2405 03290044 013e3250 0 0328c0c0 16072/16384 Crypto PKI RECV
Mwe 009f305a 03294144 013e3250 0 032901e0 16040/16384 Crypto CA
Mwe 0064d4fd 01b3e24c 013e3250 8 01b3c2f8 7508/8192 ESW_MRVL switch interrupt service
<--- More --->
Msi 00646f5c 032c134c 013e3250 3059378 032bf448 7184/8192 esw_stats
Lsi 008cbb80 032dc704 013e3250 3 032da730 7908/8192 uauth_urlb clean
Lwe 008afee7 034a0914 013e3250 197 0349e9b0 6636/8192 pm_timer_thread
Mwe 0052f0bf 034a35ac 013e3250 0 034a1648 7968/8192 IKE Timekeeper
Mwe 00520f6b 034a8adc 0132e2b0 0 034a4e38 15448/16384 IKE Daemon
Mwe 00bf5c78 034ac7ac 01360680 0 034aa7f8 8100/8192 RADIUS Proxy Event Daemon
Mwe 00bc32de 034ae79c 034dcbe0 0 034ac918 7208/8192 RADIUS Proxy Listener
Mwe 00bf5e0f 034b099c 013e3250 0 034aea38 7968/8192 RADIUS Proxy Time Keeper
Mwe 005aac4c 034b3154 013fb980 0 034b1250 7492/8192 Integrity FW Task
M* 008550a5 0009fefc 013e33b0 3183 034e3b20 24896/32768 ci/console
Msi 008eb694 034ed9d4 013e3250 2370 034ebc40 6176/8192 update_cpu_usage
Msi 008e6415 034f7dac 013e3250 1096 034f5eb8 6124/8192 NIC status poll
Mwe 005b63e6 03517d1c 013fbd10 1963 03515d78 7636/8192 IP Thread
Mwe 005becbe 03519e4c 013fbcb0 3 03517e98 7384/8192 ARP Thread
Mwe 004c2b36 0351befc 013fbae0 0 03519fe8 7864/8192 icmp_thread
Mwe 00c7722e 0351e06c 013e3250 0 0351c108 7848/8192 udp_thread
Mwe 00c5d126 0352008c 013fbd00 0 0351e228 7688/8192 tcp_thread
Mwe 00bc32de 03a6982c 03a5ee18 0 03a679b8 7512/8192 EAPoUDP-sock
Mwe 00266c15 03a6b614 013e3250 0 03a699e0 7032/8192 EAPoUDP
Mwe 005a6728 01b27b94 013e3250 0 01b25c30 7968/8192 Integrity Fw Timer Thread
- - - - 47686621 - - scheduler
- - - - 51253819 - - total elapsed
------------------ show failover ------------------
<--- More --->
ERROR: Command requires failover license
------------------ show traffic ------------------
inside:
received (in 51429.740 secs):
7749585 packets905087345 bytes
67 pkts/sec17013 bytes/sec
transmitted (in 51429.740 secs):
10653162 packets10355908020 bytes
40 pkts/sec201026 bytes/sec
1 minute input rate 412 pkts/sec, 51803 bytes/sec
1 minute output rate 475 pkts/sec, 522952 bytes/sec
1 minute drop rate, 24 pkts/sec
5 minute input rate 399 pkts/sec, 59676 bytes/sec
5 minute output rate 483 pkts/sec, 503200 bytes/sec
5 minute drop rate, 9 pkts/sec
outside:
received (in 51430.240 secs):
10758403 packets10441440193 bytes
42 pkts/sec203021 bytes/sec
transmitted (in 51430.240 secs):
7548339 packets872053854 bytes
<--- More --->
63 pkts/sec16037 bytes/sec
1 minute input rate 479 pkts/sec, 523680 bytes/sec
1 minute output rate 387 pkts/sec, 46796 bytes/sec
1 minute drop rate, 3 pkts/sec
5 minute input rate 485 pkts/sec, 503789 bytes/sec
5 minute output rate 387 pkts/sec, 57681 bytes/sec
5 minute drop rate, 2 pkts/sec
_internal_loopback:
received (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51430.740 secs):
1 packets28 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Aggregated Traffic on Physical Interface
<--- More --->
Ethernet0/0:
received (in 51431.740 secs):
10758462 packets10640075825 bytes
42 pkts/sec206042 bytes/sec
transmitted (in 51431.740 secs):
7548383 packets1029818127 bytes
63 pkts/sec20023 bytes/sec
1 minute input rate 485 pkts/sec, 537048 bytes/sec
1 minute output rate 395 pkts/sec, 54546 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 485 pkts/sec, 511723 bytes/sec
5 minute output rate 387 pkts/sec, 65495 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/1:
received (in 51433.570 secs):
7749780 packets1066328930 bytes
67 pkts/sec20064 bytes/sec
transmitted (in 51433.570 secs):
10653359 packets10552787020 bytes
40 pkts/sec205006 bytes/sec
1 minute input rate 419 pkts/sec, 59621 bytes/sec
1 minute output rate 480 pkts/sec, 533950 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 399 pkts/sec, 67618 bytes/sec
<--- More --->
5 minute output rate 482 pkts/sec, 511073 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/2:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/3:
received (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.730 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
<--- More --->
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/4:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/5:
received (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51434.870 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
<--- More --->
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/6:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Ethernet0/7:
received (in 51435.010 secs):
0 packets0 bytes
0 pkts/sec0 bytes/sec
transmitted (in 51435.010 secs):
<--- More --->
0 packets0 bytes
0 pkts/sec0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
received (in 51435.510 secs):
18513901 packets11784250044 bytes
25 pkts/sec229023 bytes/sec
transmitted (in 51435.510 secs):
18207269 packets11641332179 bytes
19 pkts/sec226078 bytes/sec
1 minute input rate 891 pkts/sec, 595715 bytes/sec
1 minute output rate 863 pkts/sec, 588935 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 885 pkts/sec, 584035 bytes/sec
5 minute output rate 870 pkts/sec, 580393 bytes/sec
5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
received (in 51436.010 secs):
18207323 packets11641364184 bytes
<--- More --->
19 pkts/sec226076 bytes/sec
transmitted (in 51436.010 secs):
18513954 packets11784281987 bytes
25 pkts/sec229022 bytes/sec
1 minute input rate 855 pkts/sec, 575808 bytes/sec
1 minute output rate 884 pkts/sec, 582339 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 869 pkts/sec, 578350 bytes/sec
5 minute output rate 883 pkts/sec, 581924 bytes/sec
5 minute drop rate, 0 pkts/sec
------------------ show perfmon ------------------
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 17/s 6/s
TCP Conns 8/s 2/s
UDP Conns 7/s 2/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 0/s 0/s
HTTP Fixup 0/s 0/s
<--- More --->
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
------------------ show counters ------------------
Protocol Counter Value Context
IP IN_PKTS 168960 Summary
IP OUT_PKTS 169304 Summary
IP TO_ARP 61 Summary
------------------ show history ------------------
------------------ show firewall ------------------
Firewall mode: Transparent
------------------ show running-config ------------------
<--- More --->
: Saved
ASA Version 7.2(3)
firewall transparent
hostname ciscoasa
enable password
names
interface Vlan1
nameif inside
security-level 100
interface Vlan2
nameif outside
security-level 0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
<--- More --->
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd
regex domain1 ".facebook\.com"
regex domain2 ".fb\.com"
regex domain3 ".youtube\.com"
ftp mode passive
access-list ACL_IN extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip address 192.168.1.254 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
<--- More --->
arp timeout 14400
access-group ACL_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map type regex match-any DomainBlockList
match regex domain1
match regex domain2
match regex domain3
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
<--- More --->
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb5115ea1d14ee42e7961ef0c9aaed86
: end
<--- More --->
------------------ show startup-config errors ------------------
INFO: No configuration errors
------------------ console logs ------------------
Message #1 : Message #2 : Message #3 : Message #4 : Message #5 : Message #6 : Message #7 : Message #8 : Message #9 : Message #10 : Message #11 : Message #12 : Message #13 : Message #14 :
Total SSMs found: 0
Message #15 :
Total NICs found: 10
Message #16 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #17 : MAC: 0000.0003.0002
Message #18 : 88E6095 rev 2 Ethernet @ index 08Message #19 : MAC: 001f.9ee8.ffa1
Message #20 : 88E6095 rev 2 Ethernet @ index 07Message #21 : MAC: 001f.9ee8.ffa0
Message #22 : 88E6095 rev 2 Ethernet @ index 06Message #23 : MAC: 001f.9ee8.ff9f
Message #24 : 88E6095 rev 2 Ethernet @ index 05Message #25 : MAC: 001f.9ee8.ff9e
Message #26 : 88E6095 rev 2 Ethernet @ index 04Message #27 : MAC: 001f.9ee8.ff9d
Message #28 : 88E6095 rev 2 Ethernet @ index 03Message #29 : MAC: 001f.9ee8.ff9c
Message #30 : 88E6095 rev 2 Ethernet @ index 02Message #31 : MAC: 001f.9ee8.ff9b
Message #32 : 88E6095 rev 2 Ethernet @ index 01Message #33 : MAC: 001f.9ee8.ff9a
Message #34 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.9ee8.ffa2
Message #35 :
Licensed features for this platform:
Message #36 : Maximum Physical Interfaces : 8
<--- More --->
Message #37 : VLANs : 3, DMZ Restricted
Message #38 : Inside Hosts : Unlimited
Message #39 : Failover : Disabled
Message #40 : VPN-DES : Enabled
Message #41 : VPN-3DES-AES : Enabled
Message #42 : VPN Peers : 10
Message #43 : WebVPN Peers : 2
Message #44 : Dual ISPs : Disabled
Message #45 : VLAN Trunk Ports : 0
Message #46 :
This platform has a Base license.
Message #47 :
Message #48 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #49 : Boot microcode : CNlite-MC-Boot-Cisco-1.2
Message #50 : SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
Message #51 : IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Message #52 : --------------------------------------------------------------------------
Message #53 : . .
Message #54 : | |
Message #55 : ||| |||
Message #56 : .|| ||. .|| ||.
Message #57 : .:||| | |||:..:||| | |||:.
Message #58 : C i s c o S y s t e m s
Message #59 : --------------------------------------------------------------------------
<--- More --->
Message #60 :
Cisco Adaptive Security Appliance Software Version 7.2(3)
Message #61 :
Message #62 : ****************************** Warning *******************************
Message #63 : This product contains cryptographic features and is
Message #64 : subject to United States and local country laws
Message #65 : governing, import, export, transfer, and use.
Message #66 : Delivery of Cisco cryptographic products does not
Message #67 : imply third-party authority to import, export,
Message #68 : distribute, or use encryption. Importers, exporters,
Message #69 : distributors and users are responsible for compliance
Message #70 : with U.S. and local country laws. By using this
Message #71 : product you agree to comply with applicable laws and
Message #72 : regulations. If you are unable to comply with U.S.
Message #73 : and local laws, return the enclosed items immediately.
Message #74 :
Message #75 : A summary of U.S. laws governing Cisco cryptographic
Message #76 : products may be found at:
Message #77 : http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Message #78 :
Message #79 : If you require further assistance please contact us by
Message #80 : sending email to [email protected].
Message #81 : ******************************* Warning *******************************
Message #82 :
<--- More --->
Message #83 : Copyright (c) 1996-2007 by Cisco Systems, Inc.
Message #84 : Restricted Rights Legend
Message #85 : Use, duplication, or disclosure by the Government is
Message #86 : subject to restrictions as set forth in subparagraph
Message #87 : (c) of the Commercial Computer Software - Restricted
Message #88 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #89 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #90 : Software clause at DFARS sec. 252.227-7013.
Message #91 : Cisco Systems, Inc.
Message #92 : 170 West Tasman Drive
Message #93 : San Jose, California 95134-1706
ciscoasa# -
Cisco ASA 5505 site to site Multiple subnet.
Hi. I need some help configuring my cisco asa 5505.
I've set up a VPN tunnel between two ASA 5505
Site 1:
Subnet 192.168.77.0
Site 2:
Have multiple vlans and now the tunnel goes to vlan400 - 192.168.1.0
What I need help with:
From site 1 i need to be able to reach another vlan on site 2. vlan480 - 192.168.20.0
And from site 1 I need to reach 192.168.77.0 subnet from vlan480 - 192.168.20.0
Vlan480 is used for phones. In vlan480 we have a PABX central.
Is this possible to do?
Any help would be greatfully appreciated!
Config site 2:
: Saved
ASA Version 7.2(2)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
names
name 192.168.1.250 DomeneServer
name 192.168.1.10 NotesServer
name 192.168.1.90 OvServer
name 192.168.1.97 TerminalServer
name 192.168.1.98 w8-eyeshare
name 192.168.50.10 w8-print
name 192.168.1.94 w8-app
name 192.168.1.89 FonnaFlyMedia
interface Vlan1
nameif Vlan1
security-level 100
ip address 192.168.200.100 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address 79.x.x.226 255.255.255.224
ospf cost 10
interface Vlan400
nameif vlan400
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan450
nameif Vlan450
security-level 100
ip address 192.168.210.1 255.255.255.0
ospf cost 10
interface Vlan460
nameif Vlan460-SuldalHotell
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
interface Vlan461
nameif Vlan461-SuldalHotellGjest
security-level 100
ip address 192.168.3.1 255.255.255.0
ospf cost 10
interface Vlan462
nameif Vlan462-Suldalsposten
security-level 100
ip address 192.168.4.1 255.255.255.0
ospf cost 10
interface Vlan470
nameif vlan470-Kyrkjekontoret
security-level 100
ip address 192.168.202.1 255.255.255.0
ospf cost 10
interface Vlan480
nameif vlan480-Telefoni
security-level 100
ip address 192.168.20.1 255.255.255.0
ospf cost 10
interface Vlan490
nameif Vlan490-QNapBackup
security-level 100
ip address 192.168.10.1 255.255.255.0
ospf cost 10
interface Vlan500
nameif Vlan500-HellandBadlands
security-level 100
ip address 192.168.30.1 255.255.255.0
ospf cost 10
interface Vlan510
nameif Vlan510-IsTak
security-level 100
ip address 192.168.40.1 255.255.255.0
ospf cost 10
interface Vlan600
nameif Vlan600-SafeQ
security-level 100
ip address 192.168.50.1 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 500
switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
switchport mode trunk
interface Ethernet0/3
switchport access vlan 490
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd x encrypted
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Lotus_Notes_Utgaaande tcp
description Frim Notes og ut til alle
port-object eq domain
port-object eq ftp
port-object eq www
port-object eq https
port-object eq lotusnotes
port-object eq pop3
port-object eq pptp
port-object eq smtp
object-group service Lotus_Notes_inn tcp
description From alle og inn til Notes
port-object eq www
port-object eq lotusnotes
port-object eq pop3
port-object eq smtp
object-group service Reisebyraa tcp-udp
port-object range 3702 3702
port-object range 5500 5500
port-object range 9876 9876
object-group service Remote_Desktop tcp-udp
description Tilgang til Remote Desktop
port-object range 3389 3389
object-group service Sand_Servicenter_50000 tcp-udp
description Program tilgang til Sand Servicenter AS
port-object range 50000 50000
object-group service VNC_Remote_Admin tcp
description Frå oss til alle
port-object range 5900 5900
object-group service Printer_Accept tcp-udp
port-object range 9100 9100
port-object eq echo
object-group icmp-type Echo_Ping
icmp-object echo
icmp-object echo-reply
object-group service Print tcp
port-object range 9100 9100
object-group service FTP_NADA tcp
description Suldalsposten NADA tilgang
port-object eq ftp
port-object eq ftp-data
object-group service Telefonsentral tcp
description Hoftun
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq telnet
object-group service Printer_inn_800 tcp
description Fra 800 nettet og inn til 400 port 7777
port-object range 7777 7777
object-group service Suldalsposten tcp
description Sending av mail vha Mac Mail programmet - åpner smtp
port-object eq pop3
port-object eq smtp
object-group service http2 tcp
port-object range 81 81
object-group service DMZ_FTP_PASSIVE tcp-udp
port-object range 55536 56559
object-group service DMZ_FTP tcp-udp
port-object range 20 21
object-group service DMZ_HTTPS tcp-udp
port-object range 443 443
object-group service DMZ_HTTP tcp-udp
port-object range 8080 8080
object-group service DNS_Query tcp
port-object range domain domain
object-group service DUETT_SQL_PORT tcp-udp
description For kobling mellom andre nett og duett server
port-object range 54659 54659
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list vlan400_access_in extended deny ip any host 149.20.56.34
access-list vlan400_access_in extended deny ip any host 149.20.56.32
access-list vlan400_access_in extended permit ip any any
access-list Vlan450_access_in extended deny ip any host 149.20.56.34
access-list Vlan450_access_in extended deny ip any host 149.20.56.32
access-list Vlan450_access_in extended permit ip any any
access-list Vlan460_access_in extended deny ip any host 149.20.56.34
access-list Vlan460_access_in extended deny ip any host 149.20.56.32
access-list Vlan460_access_in extended permit ip any any
access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
access-list Vlan500_access_in extended deny ip any host 149.20.56.34
access-list Vlan500_access_in extended deny ip any host 149.20.56.32
access-list Vlan500_access_in extended permit ip any any
access-list vlan470_access_in extended deny ip any host 149.20.56.34
access-list vlan470_access_in extended deny ip any host 149.20.56.32
access-list vlan470_access_in extended permit ip any any
access-list Vlan490_access_in extended deny ip any host 149.20.56.34
access-list Vlan490_access_in extended deny ip any host 149.20.56.32
access-list Vlan490_access_in extended permit ip any any
access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan1_access_out extended permit ip any any
access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan1_access_out extended deny ip any any
access-list Vlan1_access_out extended permit icmp any any echo-reply
access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan480_access_out extended permit ip any any
access-list Vlan510_access_in extended permit ip any any
access-list Vlan600_access_in extended permit ip any any
access-list Vlan600_access_out extended permit icmp any any
access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
access-list Vlan600_access_in_1 extended permit ip any any
access-list Vlan461_access_in extended permit ip any any
access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list Vlan462-Suldalsposten_access_in extended permit ip any any
access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Vlan1 1500
mtu outside 1500
mtu vlan400 1500
mtu Vlan450 1500
mtu Vlan460-SuldalHotell 1500
mtu Vlan461-SuldalHotellGjest 1500
mtu vlan470-Kyrkjekontoret 1500
mtu vlan480-Telefoni 1500
mtu Vlan490-QNapBackup 1500
mtu Vlan500-HellandBadlands 1500
mtu Vlan510-IsTak 1500
mtu Vlan600-SafeQ 1500
mtu Vlan462-Suldalsposten 1500
no failover
monitor-interface Vlan1
monitor-interface outside
monitor-interface vlan400
monitor-interface Vlan450
monitor-interface Vlan460-SuldalHotell
monitor-interface Vlan461-SuldalHotellGjest
monitor-interface vlan470-Kyrkjekontoret
monitor-interface vlan480-Telefoni
monitor-interface Vlan490-QNapBackup
monitor-interface Vlan500-HellandBadlands
monitor-interface Vlan510-IsTak
monitor-interface Vlan600-SafeQ
monitor-interface Vlan462-Suldalsposten
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan400) 0 access-list vlan400_nat0_outbound
nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
access-group Vlan1_access_out out interface Vlan1
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan400_access_in in interface vlan400
access-group vlan400_access_out out interface vlan400
access-group Vlan450_access_in in interface Vlan450
access-group Vlan450_access_out out interface Vlan450
access-group Vlan460_access_in in interface Vlan460-SuldalHotell
access-group Vlan460_access_out out interface Vlan460-SuldalHotell
access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
access-group vlan480_access_out out interface vlan480-Telefoni
access-group Vlan490_access_in in interface Vlan490-QNapBackup
access-group Vlan490_access_out out interface Vlan490-QNapBackup
access-group Vlan500_access_in in interface Vlan500-HellandBadlands
access-group Vlan500_access_out out interface Vlan500-HellandBadlands
access-group Vlan510_access_in in interface Vlan510-IsTak
access-group Vlan510_access_out out interface Vlan510-IsTak
access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
access-group Vlan600_access_out out interface Vlan600-SafeQ
access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username x password x encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.210.0 255.255.255.0 Vlan450
http 192.168.200.0 255.255.255.0 Vlan1
http 192.168.1.0 255.255.255.0 vlan400
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 62.92.159.137
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable vlan400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 62.92.159.137 type ipsec-l2l
tunnel-group 62.92.159.137 ipsec-attributes
pre-shared-key *
telnet 192.168.200.0 255.255.255.0 Vlan1
telnet 192.168.1.0 255.255.255.0 vlan400
telnet timeout 5
ssh 171.68.225.216 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd update dns both
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
dhcpd address 192.168.1.100-192.168.1.225 vlan400
dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
dhcpd option 3 ip 192.168.1.1 interface vlan400
dhcpd enable vlan400
dhcpd address 192.168.210.100-192.168.210.200 Vlan450
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
dhcpd option 3 ip 192.168.210.1 interface Vlan450
dhcpd enable Vlan450
dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
dhcpd enable Vlan460-SuldalHotell
dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
dhcpd enable Vlan461-SuldalHotellGjest
dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
dhcpd enable vlan470-Kyrkjekontoret
dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
dhcpd enable Vlan500-HellandBadlands
dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
dhcpd enable Vlan510-IsTak
dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
dhcpd enable Vlan600-SafeQ
dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
dhcpd enable Vlan462-Suldalsposten
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
Cryptochecksum:x
: end
Config site 1:
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password x encrypted
passwd x encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.77.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Telenor
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 15
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any echo-reply log disable
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.77.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 79.160.252.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.77.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Telenor request dialout pppoe
vpdn group Telenor localname x
vpdn group Telenor ppp authentication chap
vpdn username x password x store-local
dhcpd auto_config outside
dhcpd address 192.168.77.100-192.168.77.130 inside
dhcpd dns 192.168.77.1 interface inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside
dhcpd enable inside
dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface outside
tunnel-group 79.160.252.226 type ipsec-l2l
tunnel-group 79.160.252.226 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:x
: endHi,
The addition of a new network to the existing L2L VPN should be a pretty simple process.
Essentially you will have to add the network to the Crypto ACL present in the "crypto map" configurations. You will also have to configure the NAT0 configuration for it in the proper interfaces of the ASA. These configurations are all done on both ends of the L2L VPN connection.
Looking at your above configurations it would seem that you will need the following configurations
SITE 1
We add the new network to both the crypto ACL and the NAT0 ACL
access-list outside_1_cryptomap extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.77.0 255.255.255.0 192.168.20.0 255.255.255.0
SITE 2
We add the new network to the crypto ACL
We create a new NAT0 configuration for the Vlan480 interface as it has no previous NAT0 configuration
access-list outside_20_cryptomap_1 extended permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
access-list VLAN480-NAT0 remark NAT0 for VPN
access-list VLAN480-NAT0 permit ip 192.168.20.0 255.255.255.0 192.168.77.0 255.255.255.0
nat (vlan480-Telefoni) 0 access-list VLAN480-NAT0
These configurations should pretty much do the trick.
Let me know if it worked
- Jouni -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Cisco ASA 5505 Site to Site VPN
Hello All,
First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
I would appreciate any help that can be directed towards this issue please. Slowly losing my mind
Please see details below:
Both ADM are 7.1
IOS
ASA 1
aved
ASA Version 9.0(1)
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address 92.51.193.158 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network CIX_Subnet
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_84.39.233.50
host 84.39.233.50
object network NETWORK_OBJ_92.51.193.158
host 92.51.193.158
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address
[email protected]
logging recipient-address
[email protected]
level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 84.39.233.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.40.0 255.255.255.0 wireless
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password uYePLcrFadO9pBZx encrypted
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
ASA 2
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address 84.39.233.50 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network Eiresoft
host 146.66.160.70
description DBA Contractor
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_3
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_7
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in remark Access for Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 92.51.193.156 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.51.193.158
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 92.51.193.156 255.255.255.252 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHi,
Thanks for the help to date
I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
See below the details:
ASA1:
hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.252
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
description Wireless network
object network Servers
subnet 192.168.20.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
service-object object SQL_Server
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.XX.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map servers_map interface servers
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable servers
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.1
dhcpd auto_config outside
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username niamh password MlFlIlEiy8vismE0 encrypted
username niamh attributes
service-type admin
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password yQeVtvLLKqapoUje encrypted privilege 0
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
inspect icmp
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83fa7ce1d93375645205f6e79b526381
ASA2:
ASA Version 9.0(1)
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 100
interface Ethernet0/4
switchport access vlan 100
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport access vlan 100
interface Ethernet0/7
switchport access vlan 100
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock timezone GMT 0
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 192.168.100.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.10.0 255.255.255.0
object network TargetMC
host 83.71.194.145
description This is Target Location that will be accessing the Webserver
object network Rackspace_OLTP
host 162.13.34.56
description This is the IP address of production OLTP
object service DB
service tcp destination eq 5022
object network Topaz_Target_VM
host 82.198.151.168
description This is Topaz IP that will be accessing Targets VM
object service DB_2
service tcp destination eq 5023
object network EireSoft_NEW_IP
host 146.66.161.3
description Eiresoft latest IP form ISP DHCP
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object icmp echo
service-object icmp echo-reply
service-object object DB
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_12
service-object object MSQL
service-object icmp echo
service-object icmp echo-reply
service-object object DB
service-object object DB_2
object-group service DM_INLINE_SERVICE_13
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_14
service-object object MSQL
service-object object RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_access_in remark Access rules from Traget to CIX for testing
access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
access-list outside_access_in remark Topaz access to Target VM
access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source dynamic LAN interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh X.X.X.X 255.255.255.240 outside
ssh X.X.X.X 255.255.255.252 outside
ssh 192.168.40.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769 -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
Cisco asa 5505 issues ( ROUTING AND PAT)
I have some issues with my cisco asa 5505 config. Please see details below:
NETWORK SETUP:
gateway( 192.168.223.191) - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 ) -
ISSUES:
1)
no route from DMZ to outside
example:
ping from 172.16.3201 to the gateway
6 Jan 27 2014 11:15:33 172.16.3.201 39728 Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
2)
not working access from external to DMZ AT ALL
ASA DETAILS:
cisco asa5505
Device license Base
Maximum Physical Interfaces 8 perpetual
VLANs 3 DMZ Restricted
Inside Hosts Unlimited perpetual
configuration:
firewall200(config)# show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network office1-int
host 172.16.2.1
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object web2-ext eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.2.10-172.16.2.10 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
: endThank you one more time for everthing. It is workingin indeed
Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
show run
: Saved
ASA Version 9.1(3)
hostname firewall200
domain-name test1.com
enable password xxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 100
interface Ethernet0/1
switchport access vlan 200
interface Ethernet0/2
switchport access vlan 200
interface Ethernet0/3
switchport access vlan 200
interface Ethernet0/4
switchport access vlan 300
interface Ethernet0/5
switchport access vlan 300
interface Ethernet0/6
switchport access vlan 300
interface Ethernet0/7
switchport access vlan 300
interface Vlan100
nameif outside
security-level 0
ip address 192.168.223.200 255.255.255.0
interface Vlan200
mac-address 001b.539c.597e
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
interface Vlan300
no forward interface Vlan200
nameif DMZ
security-level 50
ip address 172.16.3.253 255.255.255.0
boot system disk0:/asa913-k8.bin
boot config disk0:/startup-config.cfg
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name test1.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network firewall-dmz-gateway
host 172.16.3.253
object network firewall-internal-gateway
host 172.16.2.253
object network com1
host 192.168.223.227
object network web2-ext
host 192.168.223.201
object network web2-int
host 172.16.3.201
object network gateway
host 192.168.223.191
object network office1-int
host 172.16.2.1
object-group network DMZ_SUBNET
network-object 172.16.3.0 255.255.255.0
object-group service www tcp
port-object eq www
port-object eq https
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
access-list outside_access_in extended permit tcp any object web2-int eq www
access-list outside_access_in extended permit tcp any object web2-int eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-714.bin
no asdm history enable
arp DMZ 172.16.4.199 001b.539c.597e alias
arp DMZ 172.16.3.199 001b.539c.597e alias
arp timeout 14400
no arp permit-nonconnected
object network web2-int
nat (DMZ,outside) static web2-ext net-to-net
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.223.227 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 outside
http 172.163.2.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.223.227 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 outside
ssh 172.16.3.253 255.255.255.255 outside
ssh 172.163.2.5 255.255.255.255 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 176.58.109.199 source outside prefer
ntp server 81.150.197.169 source outside
ntp server 82.113.154.206
username xxxxx password xxxxxxxxx encrypted
class-map DMZ-class
match any
policy-map global_policy
policy-map DMZ-policy
class DMZ-class
inspect icmp
service-policy DMZ-policy interface DMZ
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
: end -
Cisco ASA 5505 doesn't forware incoming connection to LAN
Hello everybody.
I just got a Cisco asa 5505 with the next OS and ASDM info
ASA 5505 OS 8.4(3) ASDM 6.47
I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
Problem 1
I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
Problem 2.
I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
Facts:
SMTP.
Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
PORT 6001 (outside)
this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
I will appreciate any help.
Thanks a lot..
CONFIGURATION.
: Saved
ASA Version 8.4(3)
hostname saturn1
domain-name mydominio.com
enable password SOMEPASS encrypted
passwd SOMEPASS encrypted
names
name 192.168.250.11 CAPITOLA-LAN
name 192.168.250.15 OBIi110-LAN
name 192.168.250.21 DRP1260-LAN
name 192.168.250.22 HPOJ8500-LAN
name 192.168.250.30 AP-W77-NG-LAN
name 192.168.250.97 AJ-DTOP-PC-LAN
name 192.168.250.96 SWEETHEART-PC-LAN
name 192.168.250.94 KIDS-PC-LAN
name XX.YY.ZZ.250 EXTERNALIP
name XX.YY.ZZ.251 EXTERNALIP2
name XX.YY.ZZ.1 GTWAY
dns-guard
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address EXTERNALIP 255.255.255.0
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name mydominio.com
object network CAPITOLA-LAN
host 192.168.250.11
object network EXTERNALIP
host XX.YY.ZZ.250
description Created during name migration
object network CAPITOLA-PUBLIC
host XX.YY.ZZ.251
object network capitola-int
host 192.168.250.11
object network capitola-int-vnc
host 192.168.250.11
object network aj-dtop-int-vnc
host 192.168.250.97
object network sweetheart-int-vnc
host 192.168.250.96
object network kids-int-vnc
host 192.168.250.94
object network VPNNetwork
subnet 10.10.20.0 255.255.255.0
object network InsideNetwork
subnet 192.168.250.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network capitola-int-smtp
host 192.168.250.11
object-group service capitola-int-smtp-service tcp
port-object eq smtp
object-group service capitola-int-services tcp
port-object eq smtp
port-object eq https
port-object eq www
port-object eq 444
object-group service capitola-int-vnc-service tcp
port-object eq 6001
object-group service aj-dtop-int-vnc-service tcp
port-object eq 6002
object-group service sweetheart-int-vnc-service tcp
port-object eq 6003
object-group service kids-int-vnc-service tcp
port-object eq 6004
access-list incoming extended permit icmp any any
access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object VPNNetwork
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
object network capitola-int
nat (any,any) static XX.YY.ZZ.251
object network capitola-int-vnc
nat (inside,outside) static interface service tcp 5900 6001
object network aj-dtop-int-vnc
nat (inside,outside) static interface service tcp 5900 6002
object network sweetheart-int-vnc
nat (inside,outside) static interface service tcp 5900 6003
object network kids-int-vnc
nat (inside,outside) static interface service tcp 5900 6004
object network obj_any
nat (inside,outside) dynamic interface
object network capitola-int-smtp
nat (any,outside) static interface service tcp smtp smtp
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 GTWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 2
http server session-timeout 1
http 192.168.1.0 255.255.255.0 inside
http CAPITOLA-LAN 255.255.255.255 inside
http AJ-DTOP-PC-LAN 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh CAPITOLA-LAN 255.255.255.255 inside
ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
ssh timeout 15
console timeout 0
vpn-addr-assign local reuse-delay 2
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password SOMEPASS encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
: end
asdm image disk0:/asdm-647.bin
no asdm history enableJose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Cisco asa- vpn established but cant ping
I am using 2 cisco asa 5505 routers, i have established vpn between them but i cant ping client internal or outside interface, client can ping my outside interface. Only configuration on client is basic easy vpn settings and interfaces, here is server part configuration on my side:
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.1.2.0 255.255.255.0
object network outside
subnet 10.1.3.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list 101 extended permit object-group DM_INLINE_PROTOCOL_1 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit object-group DM_INLINE_PROTOCOL_2 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.1.3.0 255.255.255.0 echo-reply inside
icmp permit any inside
icmp permit any outside
icmp permit 10.1.3.0 255.255.255.0 echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static outside outside destination static inside inside no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group global_access global
route inside 0.0.0.0 0.0.0.0 10.1.3.1 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname *********
vpdn group iskon ppp authentication pap
vpdn username ***** password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.132 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
vpn-session-timeout none
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2923b78a04ee8cfe9324e3e2733d78SOLVED!!! i just needed to configure nat here is configuration for any1 with same problem
: Saved
ASA Version 9.1(1)
hostname ciscoasa
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group iskon
ip address pppoe setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ladimirevci
subnet 10.1.2.0 255.255.255.0
object network lekenik
subnet 10.1.3.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 101 extended permit ip object lekenik object ladimirevci
access-list 101 extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object ladimirevci object lekenik
access-list outside_access_in extended permit ip object lekenik object ladimirevci
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip object ladimirevci object lekenik
access-list inside_access_in extended permit ip object lekenik object ladimirevci
access-list inside_access_in extended permit ip any any
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 102 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list global_access extended permit ip object lekenik object ladimirevci
access-list global_access extended permit ip object ladimirevci object lekenik
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static ladimirevci ladimirevci destination static lekenik lekenik
object network obj_any
nat (inside,outside) dynamic interface dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set mySET esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN-MAP 5 set pfs
crypto dynamic-map DYN-MAP 5 set ikev1 transform-set mySET
crypto dynamic-map DYN-MAP 5 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map MAP 60 ipsec-isakmp dynamic DYN-MAP
crypto map MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
vpdn group iskon request dialout pppoe
vpdn group iskon localname vivaindo@iskon-dsl
vpdn group iskon ppp authentication pap
vpdn username vivaindo@iskon-dsl password *****
dhcpd auto_config outside
dhcpd address 10.1.2.5-10.1.2.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-clientless
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-lock value VPN-TUNNEL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
nem enable
username user password enq05bKrudsJMMBu encrypted privilege 15
username user attributes
vpn-group-policy VPN
group-lock value VPN-TUNNEL
tunnel-group VPN-TUNNEL type remote-access
tunnel-group VPN-TUNNEL general-attributes
default-group-policy VPN
tunnel-group VPN-TUNNEL ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ddac35422ebbf57095be7a1d33b0b67d
: end
asdm image disk0:/asdm-712.bin
no asdm history enable -
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik
Maybe you are looking for
-
Lookup in dictionary dosen't work anymore
either right click and then select look up in dictionary nor press the shortcut works on my power book it just stoped working any suggestions how to fix this thanks
-
Failover Cluster in SQL 2012 in not auto switch when stop service SQL
Good Morning to all, I'm Mr.Tuyen from VietNam. I have a big problem with AlwaysOn High Availabity in SQL 2012. I setup 3 server and join Availabilty Group. Ex: Server A (Primary), Server B (Secondary), Cluster Qourum is only node. I have test: 1. St
-
hello, if we pruchse asset thru PO , how do we capture the expense and acct. assignment, We are not implementing full fixed asset now, they are usign FAS for that, but only one plant is goin live, and there may be exteranl asset purchases, so i am
-
Workflow for inbound idoc failures
Hi Gurus, Can anybody please point me to a place where i can start to see how i can setup workflow to notify users via SBWP whenver there is an inbound idoc error happens. We want to derive the standard functionality to its fullest even before thinki
-
I have the creative cloud that I use for my schooling and I downloaded both Adobe Bridge CC and Flash Professional CC on the Creative Cloud and I cannot find or access them on the computer - where did they go?