Multiple Site-Site VPN Tunnel on a Single PiX Firewall

Similar Messages

• Configure a VPN client and Site to Site VPN tunnel

  Hi, I'm setting up a test network between 2 sites. SiteA has a 515E PIX and SiteB has a 501 PIX. Both sites have been setup with a site to site VPN tunnel, see SiteA config below. I also require that remote clients using Cisco VPN client 3.6 be able to connect into SiteA, be authenticated, get DHCP info and connect to hosts inside the network. However, when I add these config lines, see below, to SiteA PIX it stops the vpn tunnel to SiteB. However, the client can conect and do as needed so that part of my config is correct but I cannot see why the site to site vpn tunnel is then no longer.
  SiteA config with working VPN tunnel to SiteB:
  SITE A
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.x.x.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.x.x.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.x.x.0.0 201.201.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  SiteA-pix(config)#
  Lines I add for Cisco VPN clients is attached
  I entered each line one by one and did a reload and sh crypto map all was OK until I entered the crypto map VPNPEER lines.
  Anyone any ideas what this can be?
  Thanks

  Heres my config:
  PIX Version 6.3(1)
  interface ethernet0 auto
  interface ethernet1 auto
  interface ethernet2 auto shutdown
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  nameif ethernet2 webdmz security20
  enable password xxx
  passwd xxx
  hostname SiteA-pix
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol ils 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  no fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  names
  name 200.x.x.0 SiteA_INT
  name 201.x.x.201 SiteA_EXT
  name 200.x.x.254 PIX_INT
  name 10.10.10.0 SiteB_INT
  name 11.11.11.11 SiteB_EXT
  access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0
  access-list acl_inside permit icmp any any
  access-list acl_inside permit ip any any
  access-list acl_outside permit ip any any
  access-list acl_outside permit icmp any any
  access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  mtu webdmz 1500
  ip address outside SiteA_EXT 255.255.255.128
  ip address inside PIX_INT 255.255.0.0
  no ip address webdmz
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool pix_inside 200.x.x.100-200.220.200.150
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_outbound_nat0_acl
  route outside 0.0.0.0 0.0.0.x.x.201.202 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10
  aaa-server LOCAL protocol local
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set AAADES esp-3des esp-md5-hmac
  crypto dynamic-map DYNOMAP 10 match address 80
  crypto dynamic-map DYNOMAP 10 set transform-set AAADES
  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20
  crypto map outside_map 20 set peer SiteB_EXT
  crypto map outside_map 20 set transform-set ESP-DES-MD5
  crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP
  crypto map outside_map client authentication RADIUS
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash sha
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  vpngroup Remote address-pool pix_inside
  vpngroup Remote dns-server 200.200.200.20
  vpngroup Remote wins-server 200.200.200.20
  vpngroup Remote default-domain mycorp.co.uk
  vpngroup Remote idle-time 1800
  vpngroup Remote password password
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  terminal width 80
  I will attach debug output later today.
  Thanks

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• Cannot establish site-site vpn tunnel through ASA 9.1(2)

  Hi,
  We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
  The site-site VPN tunnel fails to establish.
  The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
  Regards

  >The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
  UDP/500
  UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  IP/50
  for testing ICMP/Echo
  If you allowed full IP-access between these two endpoints, it is more than enough.
  When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  Can the two gateways ping each other? 

• 501 site-to-site vpn tunnel timeout

  What is the maximum session timeout that you can configure on a site-to-site vpn tunnel using 2 pix 501s. 24 hours??
  Thanks for any help, also, if you have documentation (I have looked but with no luck) could you post a link please....
  Thanks,

  There's no timeout setting as such. You can setup ISAKMP and IPSEC lifetimes though.
  For Phase 1, default is 24 Hrs and "0" means infinte.
  isakmp policy 1 lifetime 0
  For phase 2 , default is 28800 seconds.
  crypto map mymap 10 set security-association lifetime seconds 28800
  HEre's the doc :
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027585
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654
  *Please rate if helped.
  -Kanishka

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim

• Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

  Thanks to a previous thread, I do have a 5505 up and running, and passing data....
  https://supportforums.cisco.com/message/3900751
  Now I am trying to get a IPSEC VPN tunnel working.
  I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
  The networks concerned:
  name 10.0.0.0  Eventual  (HQ Site behind Firewall)
  name 1.1.1.0  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
  name 2.2.2.0  T1  (Remote site - Outside interface of 5505: 2.2.2.2)
  name 10.209.0.0  Local  (Remote Network - internal interface of 5505: 10.209.0.3)
  On a ping to the HQ network from behind the ASA, I get....
  portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
  I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
  Below is the config.
  Can anyone see if there is something sticking out?
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 2.2.2.0 T1
  name 1.1.1.0 CFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object CFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location CFS 255.255.255.240 inside
  asdm history enable
  Thank You.

  I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
  Here's the output requested:
  Result of the command: "show crypto isakmp sa"
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 1.1.1.1
  Type : L2L Role : initiator
  Rekey : no State : AM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
  access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
  current_peer: 1.1.1.1
  #pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 8FC06BD1
  current inbound spi : 42EC16F4
  inbound esp sas:
  spi: 0x42EC16F4 (1122768628)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62207/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  outbound esp sas:
  spi: 0x8FC06BD1 (2411752401)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62201/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  Here's the current config:
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 67.139.113.216 T1
  name 1.1.1.0 IntegraCFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object IntegraCFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list No_NAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
  route outside Eventual 255.255.255.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set security-association lifetime kilobytes 65535
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location IntegraCFS 255.255.255.240 inside
  asdm history enable

• Site-to-Site VPN Tunnel fails after upgrade 8.3(2) to 8.4(4)

  Hello Team Cisco,
  I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening.  The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail.  I did a limited search online to see if this was a known issue or something new.  I also reviewed the release notes but did not see anything that matched the issue I received.
  My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade.  But if it failed on the upgraded test unit, it may fail on the production units.
  I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
  Any input or thoughts would be greatly appreciated.
  Thanks,
  Michael

  Hi Chris,
  Thanks for the response. Unfortunately not.  I'll need to upgrade and capture logs and upload for review.  I may not get to that until this afternoon or Monday of next week.
  Regards,
  Michael

• Routing Issue for Remote Access Clients over Site to Site VPN tunnels

  I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

  Patrick, that was indeed true for a long time.
  But now it is fixed in PIX and ASA version 7.x.
  Please refer to this document for details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• Multiple site-to-site VPNs on same ASA

  I need to set up an IPSEC tunnel to let a vendor at a remote site print to a printer on my network.  I am planning to use an ASA 5520 to do this.  The architecture is pretty simple:
  [Remote computer] -- [Remote FW] --<VPN Tunnel>-- [Local FW] -- [Local Routing] -- [Printer]
  The caveat is that there will eventually be more than one vender needing to do this.  Each will have a different destination but that mena there will be more than one VPN connection to the ASA at my end.  It looks like the ASA 5520 can support more than one site-to-site VPN but will I need to assign a different endpoint IP address to each tunnel?
  I searched and didn't find a design guide for multiple site-to-site VPNs.  If one exists I'd appreciate a pointer.
  Stephen

  You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.
  Example:
  crypto map outside_map 1 match address s2s-VPN-1
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.2.3.4
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  tunnel-group 1.2.3.4 type ipsec-l2l
  tunnel-group 1.2.3.4 ipsec-attributes
   ikev1 pre-shared-key SomeSecureKey$
  crypto map outside_map 2 match address s2s-VPN-2
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 4.5.6.7
  crypto map outside_map 2 set transform-set ESP-3DES-SHA
  tunnel-group 4.5.6.7 type ipsec-l2l
  tunnel-group 4.5.6.7 ipsec-attributes
  ikev1 pre-shared-key SomeSecureKey2$

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Communicate Directly Between VPN Tunnel Sites

  I have an ASA 5505 in the main office and at several remote sites. I have setup a site to site vpn tunnel between the main office and each remote site, "Hub and Spoke". I can ping between the main office through each tunnel to the respective remote site. I need to be able to ping directly from each remote site to all other remote sites. Please note I am using ASDM to configure the ASA 5505's. tks

  There are a few things you need to do here.
  Main ASA
  1. Enable "same-security-traffic permit intra-interface" to allow the vpn traffic to bounce off the outside interface on the hub firewall.
  2. Edit your interesting traffic (crypto) acls to reflect the new traffic which will be part of the vpn tunnels between main and remote sites. For instance right now your crypto acls include traffic between main site and remote sites. You need to add acl for traffic between remote site to remote site. The config below will allow traffic from remote site 1 to remote site 2.
  access-list crypto1 extended permit ip
  access-list crypto1 extended permit ip
  access-list crypto2 extended permit ip
  access-list crypto2 extended permit ip
  Remote ASA's
  1. Add the new interesting traffic (crypto) acls. Mirror of the acls at main site ASA.
  access-list crypto1 extended permit ip
  access-list crypto1 extended permit ip
  access-list crypto2 extended permit ip
  access-list crypto2 extended permit ip
  2. Add nat exemption for traffic from remote sites to remote sites for each remote ASA.
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip
  access-list inside_nat0_outbound extended permit ip

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Cisco ASA 5505 Site to Site VPN

  Hello All,
  First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
  I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
  Please see details below:
  Both ADM are 7.1
  IOS
  ASA 1
  aved
  ASA Version 9.0(1)
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address 92.51.193.158 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network CIX_Subnet
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network NETWORK_OBJ_84.39.233.50
  host 84.39.233.50
  object network NETWORK_OBJ_92.51.193.158
  host 92.51.193.158
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address
  [email protected]
  logging recipient-address
  [email protected]
  level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 84.39.233.50
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.40.0 255.255.255.0 wireless
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password uYePLcrFadO9pBZx encrypted
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
  ASA 2
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address 84.39.233.50 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network Eiresoft
  host 146.66.160.70
  description DBA Contractor
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_3
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_7
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in remark Access for Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 92.51.193.156 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 92.51.193.158
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 92.51.193.156 255.255.255.252 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hi,
  Thanks for the help to date
  I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
  See below the details:
  ASA1:
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address XX.XX.XX.XX 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  description Wireless network
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  service-object object SQL_Server
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer XX.XX.XX.XX
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map servers_map interface servers
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 enable servers
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username niamh password MlFlIlEiy8vismE0 encrypted
  username niamh attributes
  service-type admin
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password yQeVtvLLKqapoUje encrypted privilege 0
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:83fa7ce1d93375645205f6e79b526381
  ASA2:
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock timezone GMT 0
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 192.168.100.0 255.255.255.0
  object network REMOTE-LAN
  subnet 192.168.10.0 255.255.255.0
  object network TargetMC
  host 83.71.194.145
  description This is Target Location that will be accessing the Webserver
  object network Rackspace_OLTP
  host 162.13.34.56
  description This is the IP address of production OLTP
  object service DB
  service tcp destination eq 5022
  object network Topaz_Target_VM
  host 82.198.151.168
  description This is Topaz IP that will be accessing Targets VM
  object service DB_2
  service tcp destination eq 5023
  object network EireSoft_NEW_IP
  host 146.66.161.3
  description Eiresoft latest IP form ISP DHCP
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  service-object icmp echo
  service-object icmp echo-reply
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object tcp destination eq www
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_12
  service-object object MSQL
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  service-object object DB_2
  object-group service DM_INLINE_SERVICE_13
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_14
  service-object object MSQL
  service-object object RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_access_in remark Access rules from Traget to CIX for testing
  access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
  access-list outside_access_in remark Topaz access to Target VM
  access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
  access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
  access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
  access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
  access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source dynamic LAN interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http X.X.X.X 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh X.X.X.X  255.255.255.240 outside
  ssh X.X.X.X 255.255.255.252 outside
  ssh 192.168.40.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

• How to disconnect ASA 5505 site-to-site VPN via SSL?

  Hi all,
          sorry, bit of a newbie so this may be trivial.
  We have an ASA 5505 which has two IPSEC site-to-site VPN tunnels. One to another ASA works just fine but the other to a Checkpoint VPN locks up occasionally. I've given up on sorting the actual problem and for now we're logging it out via ASDM where it reconnects and all is fine again.
  What I'd like to do is automate this logout using the SSH interface if we detect an issue with the connection. Can anyone point me in the general direction of documentation to do this please?

  I would stick with site-to-site vpn instead of Easy VPN NEM (Network Extension Mode) for your setup.
  Can you pls share the full config on both HQ and New Facility so we can see if everything has been included in the configuration.
  Pls check your NAT statement to see if you have configure NAT exemption for that VoIP network.
  HQ should also have crypto ACL that include the VoIP network.
  What is the gateway currently configured on your PBX? and what device is that? how is the routing on that device that is set as your PBX default gateway? If you can share a topology diagram that would help too.