Odd Site-to-Site VPN Log Activity

Similar Messages

• Cisco ASA 5505 Site to Site VPN

  Hello All,
  First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
  I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
  Please see details below:
  Both ADM are 7.1
  IOS
  ASA 1
  aved
  ASA Version 9.0(1)
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address 92.51.193.158 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network CIX_Subnet
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network NETWORK_OBJ_84.39.233.50
  host 84.39.233.50
  object network NETWORK_OBJ_92.51.193.158
  host 92.51.193.158
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address
  [email protected]
  logging recipient-address
  [email protected]
  level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 84.39.233.50
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.40.0 255.255.255.0 wireless
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password uYePLcrFadO9pBZx encrypted
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
  ASA 2
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address 84.39.233.50 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network Eiresoft
  host 146.66.160.70
  description DBA Contractor
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_3
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_7
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in remark Access for Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 92.51.193.156 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 92.51.193.158
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 92.51.193.156 255.255.255.252 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hi,
  Thanks for the help to date
  I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
  See below the details:
  ASA1:
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address XX.XX.XX.XX 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  description Wireless network
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  service-object object SQL_Server
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer XX.XX.XX.XX
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map servers_map interface servers
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 enable servers
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username niamh password MlFlIlEiy8vismE0 encrypted
  username niamh attributes
  service-type admin
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password yQeVtvLLKqapoUje encrypted privilege 0
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:83fa7ce1d93375645205f6e79b526381
  ASA2:
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock timezone GMT 0
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 192.168.100.0 255.255.255.0
  object network REMOTE-LAN
  subnet 192.168.10.0 255.255.255.0
  object network TargetMC
  host 83.71.194.145
  description This is Target Location that will be accessing the Webserver
  object network Rackspace_OLTP
  host 162.13.34.56
  description This is the IP address of production OLTP
  object service DB
  service tcp destination eq 5022
  object network Topaz_Target_VM
  host 82.198.151.168
  description This is Topaz IP that will be accessing Targets VM
  object service DB_2
  service tcp destination eq 5023
  object network EireSoft_NEW_IP
  host 146.66.161.3
  description Eiresoft latest IP form ISP DHCP
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  service-object icmp echo
  service-object icmp echo-reply
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object tcp destination eq www
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_12
  service-object object MSQL
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  service-object object DB_2
  object-group service DM_INLINE_SERVICE_13
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_14
  service-object object MSQL
  service-object object RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_access_in remark Access rules from Traget to CIX for testing
  access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
  access-list outside_access_in remark Topaz access to Target VM
  access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
  access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
  access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
  access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
  access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source dynamic LAN interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http X.X.X.X 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh X.X.X.X  255.255.255.240 outside
  ssh X.X.X.X 255.255.255.252 outside
  ssh 192.168.40.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

• CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

  I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
  The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP.  We have a DNS server set up in AWS for any DNS queries for the remote domain name.
  My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
  I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query.  Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
  Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

  Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface.  Try to be more restrictive than an '...ip any any' rule for outside_in connections.  For instance, this is what I have for incoming VOIP (access list and nat rules):
  access list rule:
  access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
  nat rule:
  nat (inside,outside) source static server interface service voip-range voip-range
  - 'server' is a network object *
  - 'voip-range' is a service group range
  I'd assume you can do something similar here in combination with my earlier comment:
  access-list incoming extended permit tcp any any eq 5900
  Can you explain your forwarding methodology a little more?  I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to.  Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni

• Site to Site VPN Problems With 2801 Router and ASA 5505

  Hello,
  I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
  IP scheme at SIte A:
  IP    172.19.3.x
  sub 255.255.255.128
  GW 172.19.3.129
  Site A Ciscso 2801 Router
  Current configuration : 11858 bytes
  version 12.4
  service timestamps debug datetime localtime
  service timestamps log datetime localtime show-timezone
  service password-encryption
  hostname router-2801
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  aaa new-model
  aaa authentication login userauthen group radius local
  aaa authorization network groupauthor local
  aaa session-id common
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 172.19.3.129 172.19.3.149
  ip dhcp excluded-address 172.19.10.1 172.19.10.253
  ip dhcp excluded-address 172.19.3.140
  ip dhcp ping timeout 900
  ip dhcp pool DHCP
     network 172.19.3.128 255.255.255.128
     default-router 172.19.3.129
     domain-name domain.local
     netbios-name-server 172.19.3.7
     option 66 ascii 172.19.3.225
     dns-server 172.19.3.140 208.67.220.220 208.67.222.222
  ip dhcp pool VoiceDHCP
     network 172.19.10.0 255.255.255.0
     default-router 172.19.10.1
     dns-server 208.67.220.220 8.8.8.8
     option 66 ascii 172.19.10.2
     lease 2
  ip cef
  ip inspect name SDM_LOW cuseeme
  ip inspect name SDM_LOW dns
  ip inspect name SDM_LOW ftp
  ip inspect name SDM_LOW h323
  ip inspect name SDM_LOW https
  ip inspect name SDM_LOW icmp
  ip inspect name SDM_LOW imap
  ip inspect name SDM_LOW pop3
  ip inspect name SDM_LOW netshow
  ip inspect name SDM_LOW rcmd
  ip inspect name SDM_LOW realaudio
  ip inspect name SDM_LOW rtsp
  ip inspect name SDM_LOW esmtp
  ip inspect name SDM_LOW sqlnet
  ip inspect name SDM_LOW streamworks
  ip inspect name SDM_LOW tftp
  ip inspect name SDM_LOW tcp
  ip inspect name SDM_LOW udp
  ip inspect name SDM_LOW vdolive
  no ip domain lookup
  ip domain name domain.local
  multilink bundle-name authenticated
  key chain key1
  key 1
     key-string 7 06040033484B1B484557
  crypto pki trustpoint TP-self-signed-3448656681
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
  revocation-check none
  rsakeypair TP-self-signed-344bbb56681
  crypto pki certificate chain TP-self-signed-3448656681
  certificate self-signed 01
    3082024F
              quit
  username admin privilege 15 password 7 F55
  archive
  log config
    hidekeys
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXX address 209.118.0.1
  crypto isakmp key xxxxx address SITE B Public IP
  crypto isakmp keepalive 40 5
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group IISVPN
  key 1nsur3m3
  dns 172.19.3.140
  wins 172.19.3.140
  domain domain.local
  pool VPN_Pool
  acl 198
  crypto isakmp profile IISVPNClient
     description VPN clients profile
     match identity group IISVPN
     client authentication list userauthen
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto dynamic-map Dynamic 5
  set transform-set myset
  set isakmp-profile IISVPNClient
  qos pre-classify
  crypto map VPN 10 ipsec-isakmp
  set peer 209.118.0.1
  set peer SITE B Public IP
  set transform-set myset
  match address 101
  qos pre-classify
  crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
  track 123 ip sla 1 reachability
  delay down 15 up 10
  class-map match-any VoiceTraffic
  match protocol rtp audio
  match protocol h323
  match protocol rtcp
  match access-group name VOIP
  match protocol sip
  class-map match-any RDP
  match access-group 199
  policy-map QOS
  class VoiceTraffic
      bandwidth 512
  class RDP
      bandwidth 768
  policy-map MainQOS
  class class-default
      shape average 1500000
    service-policy QOS
  interface FastEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
  ip address 172.19.3.129 255.255.255.128
  ip access-group 100 in
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/0.10
  description $ETH-VoiceVLAN$$
  encapsulation dot1Q 10
  ip address 172.19.10.1 255.255.255.0
  ip inspect SDM_LOW in
  ip nat inside
  ip virtual-reassembly
  interface FastEthernet0/1
  description "Comcast"
  ip address PUB IP 255.255.255.248
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map VPN
  interface Serial0/1/0
  description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
  bandwidth 1536
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
  interface Serial0/1/0.1 point-to-point
  bandwidth 1536
  ip address 152.000.000.18 255.255.255.252
  ip access-group 102 in
  ip verify unicast reverse-path
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  frame-relay interface-dlci 500 IETF 
  crypto map VPN
  service-policy output MainQOS
  interface Serial0/2/0
  description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
  ip address 123.252.123.102 255.255.255.252
  ip access-group 102 in
  ip inspect SDM_LOW out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  crypto map VPN
  service-policy output MainQOS
  ip local pool VPN_Pool 172.20.3.130 172.20.3.254
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
  ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
  ip route 122.112.197.20 255.255.255.255 209.252.237.101
  ip route 208.67.220.220 255.255.255.255 50.78.233.110
  no ip http server
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
  ip nat inside source route-map PAETEC interface Serial0/2/0 overload
  ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
  ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
  ip access-list extended VOIP
  permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
  permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
  ip radius source-interface FastEthernet0/0
  ip sla 1
  icmp-echo 000.67.220.220 source-interface FastEthernet0/1
  timeout 10000
  frequency 15
  ip sla schedule 1 life forever start-time now
  access-list 23 permit 172.19.3.0 0.0.0.127
  access-list 23 permit 172.19.3.128 0.0.0.127
  access-list 23 permit 173.189.251.192 0.0.0.63
  access-list 23 permit 107.0.197.0 0.0.0.63
  access-list 23 permit 173.163.157.32 0.0.0.15
  access-list 23 permit 72.55.33.0 0.0.0.255
  access-list 23 permit 172.19.5.0 0.0.0.63
  access-list 100 remark "Outgoing Traffic"
  access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
  access-list 100 deny   ip host 255.255.255.255 any
  access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit tcp host 172.19.3.190 any eq smtp
  access-list 100 permit tcp host 172.19.3.137 any eq smtp
  access-list 100 permit tcp any host 66.251.35.131 eq smtp
  access-list 100 permit tcp any host 173.201.193.101 eq smtp
  access-list 100 permit ip any any
  access-list 100 permit tcp any any eq ftp
  access-list 101 remark "Interesting VPN Traffic"
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 101 permit tcp any any eq ftp
  access-list 101 permit tcp any any eq ftp-data
  access-list 102 remark "Inbound Access"
  access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
  access-list 102 permit udp any host 152.179.53.18 eq isakmp
  access-list 102 permit esp any host 152.179.53.18
  access-list 102 permit ahp any host 152.179.53.18
  access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
  access-list 102 permit udp any host 209.000.000.102 eq isakmp
  access-list 102 permit esp any host 209.000.000.102
  access-list 102 permit ahp any host 209.000.000.102
  access-list 102 permit udp any host PUB IP eq non500-isakmp
  access-list 102 permit udp any host PUB IP eq isakmp
  access-list 102 permit esp any host PUB IP
  access-list 102 permit ahp any host PUB IP
  access-list 102 permit ip 72.55.33.0 0.0.0.255 any
  access-list 102 permit ip 107.0.197.0 0.0.0.63 any
  access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 permit icmp any any
  access-list 102 deny   ip any any log
  access-list 102 permit tcp any host 172.19.3.140 eq ftp
  access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
  access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
  access-list 102 permit udp any host SITE B Public IP  eq isakmp
  access-list 102 permit esp any host SITE B Public IP
  access-list 102 permit ahp any host SITE B Public IP
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 199 permit tcp any any eq 3389
  route-map PAETEC permit 10
  match ip address 110
  match interface Serial0/2/0
  route-map COMCAST permit 10
  match ip address 110
  match interface FastEthernet0/1
  route-map VERIZON permit 10
  match ip address 110
  match interface Serial0/1/0.1
  snmp-server community 123 RO
  radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  line vty 5 15
  access-class 23 in
  privilege level 15
  transport input telnet ssh
  scheduler allocate 20000 1000
  ntp server 128.118.25.3
  ntp server 217.150.242.8
  end
  IP scheme at site B:
  ip     172.19.5.x
  sub  255.255.255.292
  gw   172.19.5.65
  Cisco ASA 5505 at Site B
  ASA Version 8.2(5)
  hostname ASA5505
  domain-name domain.com
  enable password b04DSH2HQqXwS8wi encrypted
  passwd b04DSH2HQqXwS8wi encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.19.5.65 255.255.255.192
  interface Vlan2
  nameif outside
  security-level 0
  ip address SITE B public IP 255.255.255.224
  boot system disk0:/asa825-k8.bin
  ftp mode passive
  clock timezone est -5
  clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name iis-usa.com
  same-security-traffic permit intra-interface
  object-group network old hosting provider
  network-object 72.55.34.64 255.255.255.192
  network-object 72.55.33.0 255.255.255.0
  network-object 173.189.251.192 255.255.255.192
  network-object 173.163.157.32 255.255.255.240
  network-object 66.11.1.64 255.255.255.192
  network-object 107.0.197.0 255.255.255.192
  object-group network old hosting provider
  network-object host 172.19.250.10
  network-object host 172.19.250.11
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
  access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
  access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
  access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
  access-list 10 extended permit icmp any any echo-reply
  access-list 10 extended permit icmp any any time-exceeded
  access-list 10 extended permit icmp any any unreachable
  access-list 10 extended permit icmp any any traceroute
  access-list 10 extended permit icmp any any source-quench
  access-list 10 extended permit icmp any any
  access-list 10 extended permit tcp object-group old hosting provider any eq 3389
  access-list 10 extended permit tcp any any eq https
  access-list 10 extended permit tcp any any eq www
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
  pager lines 24
  logging enable
  logging timestamp
  logging console emergencies
  logging monitor emergencies
  logging buffered warnings
  logging trap debugging
  logging history debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip verify reverse-path interface inside
  ip verify reverse-path interface outside
  ip audit name jab attack action alarm drop reset
  ip audit name probe info action alarm drop reset
  ip audit interface outside probe
  ip audit interface outside jab
  ip audit info action alarm drop reset
  ip audit attack action alarm drop reset
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit 75.150.169.48 255.255.255.240 outside
  icmp permit 72.44.134.16 255.255.255.240 outside
  icmp permit 72.55.33.0 255.255.255.0 outside
  icmp permit any outside
  icmp permit 173.163.157.32 255.255.255.240 outside
  icmp permit 107.0.197.0 255.255.255.192 outside
  icmp permit 66.11.1.64 255.255.255.192 outside
  icmp deny any outside
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list 100
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group 10 in interface outside
  route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
  timeout xlate 3:00:00
  timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http 107.0.197.0 255.255.255.192 outside
  http 66.11.1.64 255.255.255.192 outside
  snmp-server host outside 107.0.197.29 community *****
  snmp-server host outside 107.0.197.30 community *****
  snmp-server host inside 172.19.250.10 community *****
  snmp-server host outside 172.19.250.10 community *****
  snmp-server host inside 172.19.250.11 community *****
  snmp-server host outside 172.19.250.11 community *****
  snmp-server host outside 68.82.122.239 community *****
  snmp-server host outside 72.55.33.37 community *****
  snmp-server host outside 72.55.33.38 community *****
  snmp-server host outside 75.150.169.50 community *****
  snmp-server host outside 75.150.169.51 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 10 match address 110
  crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
  crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
  crypto map VPNMAP 10 set security-association lifetime seconds 86400
  crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 172.19.5.64 255.255.255.192 inside
  telnet 172.19.3.0 255.255.255.128 outside
  telnet timeout 60
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd dns 172.19.3.140
  dhcpd wins 172.19.3.140
  dhcpd ping_timeout 750
  dhcpd domain iis-usa.com
  dhcpd address 172.19.5.80-172.19.5.111 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection scanning-threat shun except object-group old hosting provider
  threat-detection statistics
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  ntp server 128.118.25.3 source outside
  ntp server 217.150.242.8 source outside
  tunnel-group 72.00.00.7 type ipsec-l2l
  tunnel-group 72.00.00.7 ipsec-attributes
  pre-shared-key *****
  tunnel-group old vpn public ip type ipsec-l2l
  tunnel-group old vpn public ip ipsec-attributes
  pre-shared-key *****
  tunnel-group SITE A Public IP  type ipsec-l2l
  tunnel-group SITE A Public IP  ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect pptp
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:
  : end

  I have removed the old "set peer" and have added:
  IOS router:
  access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
  ASA fw:
  access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
  on the router I have also added;
  access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  Here is my acl :
  access-list 110 remark "Outbound NAT Rule"
  access-list 110 remark "Deny VPN Traffic NAT"
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
  access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
  access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
  access-list 110 permit ip 172.19.3.128 0.0.0.127 any
  access-list 110 permit ip 172.19.10.0 0.0.0.255 any
  access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
  access-list 198 remark "Networks for IISVPN Client"
  access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
  access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
  Still no ping tothe other site.

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• ASA 5505. VPN Site-to-Site does not connect!

  Hello!
  Already more than a week ago, as we had a new channel of communication from MGTSa (ONT terminal Sercomm RV6688BCM, who just barely made in the "bridge" - was forced to make the provider in order to receive our white Cisco Ip-address), and now I'm trying too much more than a week to raise between our offices firm VPN IKEv1 IPsec Site-to-Site tunnel.
  Configurable and use the wizard in ASDM and handles in CLI, the result of one, the connection does not rise.
  Version Cisco 9.2 (2), the image of Cisco asa922-k8.bin, version license Security Plus, version ASDM 7.2 (2).
  What I'll never know ...
  Full configuration and debug enclose below.
  Help, what can follow any responses, please! I was quite exhausted!
  Config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: XXXXXXXXXXXX
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)
  hostname gate-71
  enable password F6OJ0GOws7WHxeql encrypted
  names
  ip local pool vpnpool 10.1.72.100-10.1.72.120 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.1.72.254 255.255.255.0
  interface Vlan2
   nameif outside_mgts
   security-level 0
   ip address 62.112.100.R1 255.255.255.252
  ftp mode passive
  clock timezone MSK/MSD 3
  clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns server-group MGTS
   name-server 195.34.31.50
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network NET72
   subnet 10.1.72.0 255.255.255.0
  object network obj-0.0.0.0
   host 0.0.0.0
  object network Nafanya
   host 10.1.72.5
  object network obj-10.1.72.0
   subnet 10.1.72.0 255.255.255.0
  object network NET61
   subnet 10.1.61.0 255.255.255.0
  object network NETWORK_OBJ_10.1.72.96_27
   subnet 10.1.72.96 255.255.255.224
  object network NETT72
   subnet 10.1.72.0 255.255.255.0
  object network NET30
   subnet 10.1.30.0 255.255.255.0
  object network NETWORK_OBJ_10.1.72.0_24
   subnet 10.1.72.0 255.255.255.0
  object-group service OG-FROM-INET
   service-object icmp echo
   service-object icmp echo-reply
   service-object icmp traceroute
   service-object icmp unreachable
   service-object tcp-udp destination eq echo
  object-group network DM_INLINE_NETWORK_1
   network-object object NET30
   network-object object NET72
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq www
   port-object eq https
  access-list inside_access_in extended permit ip object NET72 object-group DM_INLINE_NETWORK_1
  access-list inside_access_in extended permit ip 10.1.72.0 255.255.255.0 any
  access-list inside_access_in extended permit ip object Nafanya any inactive
  access-list inside_access_in extended permit object-group OG-FROM-INET any any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended deny ip any any log alerts
  access-list outside_mgts_access_in extended permit object-group OG-FROM-INET any any
  access-list outside_mgts_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
  access-list outside_mgts_access_in extended deny ip any any log alerts
  access-list outside_mgts_cryptomap extended permit ip 10.1.72.0 255.255.255.0 object NET61
  access-list VPN-ST_splitTunnelAcl standard permit 10.1.72.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside_mgts 1500
  ip verify reverse-path interface outside_mgts
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside_mgts) source static NET72 NET72 destination static NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 no-proxy-arp route-lookup
  nat (inside,outside_mgts) source static NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 destination static NET61 NET61 no-proxy-arp route-lookup
  object network obj_any
   nat (inside,outside_mgts) dynamic obj-0.0.0.0
  object network NET72
   nat (inside,outside_mgts) dynamic interface dns
  access-group inside_access_in in interface inside
  access-group outside_mgts_access_in in interface outside_mgts
  route outside_mgts 0.0.0.0 0.0.0.0 62.112.100.R 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no user-identity enable
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 10.1.72.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_mgts_map 1 match address outside_mgts_cryptomap
  crypto map outside_mgts_map 1 set pfs group1
  crypto map outside_mgts_map 1 set peer 91.188.180.42
  crypto map outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_mgts_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_mgts_map interface outside_mgts
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment self
   email [email protected]
   subject-name CN=gate-71
   serial-number
   ip-address 62.112.100.42
   proxy-ldc-issuer
   crl configure
  crypto ca trustpoint ASDM_TrustPoint1
   enrollment self
   keypair ASDM_TrustPoint1
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint0
   certificate eff26954
      30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d010105
      019
      6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d1964
      60ae26ec 5f300d06 092a8648 86f70d01 01050500 03820101 00448753 7baa5c77
      62857b65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
      5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
      28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
      0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
      94a82781 44493217 38097952 003d5552 5c445f1f 92f04039 a23fba20 b9d51b13
      f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c024 3af56b97 51af8253
      486844bc b1954abe 8acd7108 5e4212df 193b8167 db835d76 98ffdb2b 8c8ab915
      0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
    quit
  crypto ca certificate chain ASDM_TrustPoint1
   certificate a39a2b54
      30820377 3082025f a0030201 020204a3 9a2b5430 0d06092a 864886f7 0d010105
      0500304b 3110300e 06035504 03130767 6174652d 36313137 30120603 55040513
      c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
      14bdb207 7dd790a4 0cd70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
      f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
      62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f 362973a0 88de3272
      9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
      638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
      0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101
      ff040403 02018630 1f060355 1d230418 30168014 0cea70bf 0d0e0c4b eb34a0b1
      8242a549 5183ccf9 301d0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182
      42a54951 83ccf930 0d06092a 864886f7 0d010105 05000382 0101004e 7bfe054a
      d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 96077966 2a97333b 05a8e9ef
      bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
      9aaeae21 a629ccc6 3c79200b b9a89b08 4745a411 bf38afb6 ea56b957 4430f692
      34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
      ebd4dccd df93c17e deceb796 f268abf1 bd5f7b69 89183841 881409b5 f484f0e7
      ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
      4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
      32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
    quit
  crypto isakmp identity address
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside_mgts client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside_mgts
  crypto ikev1 policy 10
   authentication crack
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 30
   authentication pre-share
   encryption aes-256
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 40
   authentication crack
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 50
   authentication rsa-sig
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 60
   authentication pre-share
   encryption aes-192
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 70
   authentication crack
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 80
   authentication rsa-sig
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 90
   authentication pre-share
   encryption aes
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 100
   authentication crack
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 110
   authentication rsa-sig
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 130
   authentication crack
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 140
   authentication rsa-sig
   encryption des
   hash sha
   group 2
   lifetime 86400
  crypto ikev1 policy 150
   authentication pre-share
   encryption des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  no ssh stricthostkeycheck
  ssh 10.1.72.0 255.255.255.0 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpnclient server 91.188.180.X
  vpnclient mode network-extension-mode
  vpnclient nem-st-autoconnect
  vpnclient vpngroup VPN-L2L password *****
  vpnclient username aradetskayaL password *****
  dhcpd auto_config outside_mgts
  dhcpd update dns both override interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 inside
  ssl trust-point ASDM_TrustPoint0 outside_mgts
  webvpn
   enable outside_mgts
  group-policy GroupPolicy_91.188.180.X internal
  group-policy GroupPolicy_91.188.180.X attributes
   vpn-tunnel-protocol ikev1
  group-policy VPN-ST internal
  group-policy VPN-ST attributes
   dns-server value 195.34.31.50 8.8.8.8
   vpn-tunnel-protocol ikev1
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value VPN-ST_splitTunnelAcl
   default-domain none
  username aradetskayaL password HR3qeva85hzXT6KK encrypted privilege 15
  tunnel-group 91.188.180.X type ipsec-l2l
  tunnel-group 91.188.180.X general-attributes
   default-group-policy GroupPolicy_91.188.180.42
  tunnel-group 91.188.180.X ipsec-attributes
   ikev1 pre-shared-key *****
   ikev2 remote-authentication pre-shared-key *****
   ikev2 remote-authentication certificate
   ikev2 local-authentication pre-shared-key *****
  tunnel-group VPN-ST type remote-access
  tunnel-group VPN-ST general-attributes
   address-pool vpnpool
   default-group-policy VPN-ST
  tunnel-group VPN-ST ipsec-attributes
   ikev1 pre-shared-key *****
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:212e4f5035793d1c219fed57751983d8
  : end
  gate-71# sh crypto ikev1 sa
  There are no IKEv1 SAs
  gate-71# sh crypto ikev2 sa
  There are no IKEv2 SAs
  gate-71# sh crypto ipsec sa
  There are no ipsec sas
  gate-71# sh crypto isakmp
  There are no IKEv1 SAs
  There are no IKEv2 SAs
  Global IKEv1 Statistics
    Active Tunnels:              0
    Previous Tunnels:            0
    In Octets:                   0
    In Packets:                  0
    In Drop Packets:             0
    In Notifys:                  0
    In P2 Exchanges:             0
    In P2 Exchange Invalids:     0
    In P2 Exchange Rejects:      0
    In P2 Sa Delete Requests:    0
    Out Octets:                  0
    Out Packets:                 0
    Out Drop Packets:            0
    Out Notifys:                 0
    Out P2 Exchanges:            0
    Out P2 Exchange Invalids:    0
    Out P2 Exchange Rejects:     0
    Out P2 Sa Delete Requests:   0
    Initiator Tunnels:           0
    Initiator Fails:             0
    Responder Fails:             0
    System Capacity Fails:       0
    Auth Fails:                  0
    Decrypt Fails:               0
    Hash Valid Fails:            0
    No Sa Fails:                 0
  IKEV1 Call Admission Statistics
    Max In-Negotiation SAs:                 25
    In-Negotiation SAs:                      0
    In-Negotiation SAs Highwater:            0
    In-Negotiation SAs Rejected:             0
  Global IKEv2 Statistics
    Active Tunnels:                          0
    Previous Tunnels:                        0
    In Octets:                               0
    In Packets:                              0
    In Drop Packets:                         0
    In Drop Fragments:                       0
    In Notifys:                              0
    In P2 Exchange:                          0
    In P2 Exchange Invalids:                 0
    In P2 Exchange Rejects:                  0
    In IPSEC Delete:                         0
    In IKE Delete:                           0
    Out Octets:                              0
    Out Packets:                             0
    Out Drop Packets:                        0
    Out Drop Fragments:                      0
    Out Notifys:                             0
    Out P2 Exchange:                         0
    Out P2 Exchange Invalids:                0
    Out P2 Exchange Rejects:                 0
    Out IPSEC Delete:                        0
    Out IKE Delete:                          0
    SAs Locally Initiated:                   0
    SAs Locally Initiated Failed:            0
    SAs Remotely Initiated:                  0
    SAs Remotely Initiated Failed:           0
    System Capacity Failures:                0
    Authentication Failures:                 0
    Decrypt Failures:                        0
    Hash Failures:                           0
    Invalid SPI:                             0
    In Configs:                              0
    Out Configs:                             0
    In Configs Rejects:                      0
    Out Configs Rejects:                     0
    Previous Tunnels:                        0
    Previous Tunnels Wraps:                  0
    In DPD Messages:                         0
    Out DPD Messages:                        0
    Out NAT Keepalives:                      0
    IKE Rekey Locally Initiated:             0
    IKE Rekey Remotely Initiated:            0
    CHILD Rekey Locally Initiated:           0
    CHILD Rekey Remotely Initiated:          0
  IKEV2 Call Admission Statistics
    Max Active SAs:                   No Limit
    Max In-Negotiation SAs:                 50
    Cookie Challenge Threshold:          Never
    Active SAs:                              0
    In-Negotiation SAs:                      0
    Incoming Requests:                       0
    Incoming Requests Accepted:              0
    Incoming Requests Rejected:              0
    Outgoing Requests:                       0
    Outgoing Requests Accepted:              0
    Outgoing Requests Rejected:              0
    Rejected Requests:                       0
    Rejected Over Max SA limit:              0
    Rejected Low Resources:                  0
    Rejected Reboot In Progress:             0
    Cookie Challenges:                       0
    Cookie Challenges Passed:                0
    Cookie Challenges Failed:                0
  Global IKEv1 IPSec over TCP Statistics
  Embryonic connections: 0
  Active connections: 0
  Previous connections: 0
  Inbound packets: 0
  Inbound dropped packets: 0
  Outbound packets: 0
  Outbound dropped packets: 0
  RST packets: 0
  Recevied ACK heart-beat packets: 0
  Bad headers: 0
  Bad trailers: 0
  Timer failures: 0
  Checksum errors: 0
  Internal errors: 0
  gate-71# sh crypto protocol statistics all
  [IKEv1 statistics]
     Encrypt packet requests: 0
     Encapsulate packet requests: 0
     Decrypt packet requests: 0
     Decapsulate packet requests: 0
     HMAC calculation requests: 0
     SA creation requests: 0
     SA rekey requests: 0
     SA deletion requests: 0
     Next phase key allocation requests: 0
     Random number generation requests: 0
     Failed requests: 0
  [IKEv2 statistics]
     Encrypt packet requests: 0
     Encapsulate packet requests: 0
     Decrypt packet requests: 0
     Decapsulate packet requests: 0
     HMAC calculation requests: 0
     SA creation requests: 0
     SA rekey requests: 0
     SA deletion requests: 0
     Next phase key allocation requests: 0
     Random number generation requests: 0
     Failed requests: 0
  [IPsec statistics]
     Encrypt packet requests: 0
     Encapsulate packet requests: 0
     Decrypt packet requests: 0
     Decapsulate packet requests: 0
     HMAC calculation requests: 0
     SA creation requests: 0
     SA rekey requests: 0
     SA deletion requests: 0
     Next phase key allocation requests: 0
     Random number generation requests: 0
     Failed requests: 0
  [SSL statistics]
     Encrypt packet requests: 19331
     Encapsulate packet requests: 19331
     Decrypt packet requests: 437
     Decapsulate packet requests: 437
     HMAC calculation requests: 19768
     SA creation requests: 178
     SA rekey requests: 0
     SA deletion requests: 176
     Next phase key allocation requests: 0
     Random number generation requests: 0
     Failed requests: 0
  [SSH statistics are not supported]
  [SRTP statistics]
     Encrypt packet requests: 0
     Encapsulate packet requests: 0
     Decrypt packet requests: 0
     Decapsulate packet requests: 0
     HMAC calculation requests: 0
     SA creation requests: 0
     SA rekey requests: 0
     SA deletion requests: 0
     Next phase key allocation requests: 0
     Random number generation requests: 0
     Failed requests: 0
  [Other statistics]
     Encrypt packet requests: 0
     Encapsulate packet requests: 0
     Decrypt packet requests: 0
     Decapsulate packet requests: 0
     HMAC calculation requests: 6238
     SA creation requests: 0
     SA rekey requests: 0
     SA deletion requests: 0
     Next phase key allocation requests: 0
     Random number generation requests: 76
     Failed requests: 9
  gate-71# sh crypto ca trustpoints
  Trustpoint ASDM_TrustPoint0:
      Configured for self-signed certificate generation.
  Trustpoint ASDM_TrustPoint1:
      Configured for self-signed certificate generation.
  If you need something more, then lay out!
  Please explain why it is I do not want to work?

  When I launched a packet tracer from the CLI connection has gone! Hooray!
  I just do not understand why it had not launched with the same settings?
  As I understood MGTS finally required ports began to miss!

• Site to Site VPN on Cisco ASA

  Hello,
  I'm trying to set up a site to site VPN. I've never done this before and can't get it to work. I've watched training vids online and thought it looked straight forward enough. My problem appears to be that th ASA is not trying to create a tunnel. It doesn't seem to know that this traffic should be sent over the tunnel. Both the outside interfaces can ping one another and are on the same subnet.
  I've pasted the two configs below. They're just base configs with all the VPN commands having been created by the wizard. I've not put any routes in as the two devices are on the same subnet. If you can see my mistake I'd be very grateful to you if you could point it out or even point me in the right direction.
  Cheers,
  Tormod
  ciscoasa1
  : Saved
  : Written by enable_15 at 05:11:30.489 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.2
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.2 type ipsec-l2l
  tunnel-group 1.1.1.2 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65
  : end
  ciscoasa2
  : Saved
  : Written by enable_15 at 15:40:31.509 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa2
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.0
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.1.2.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1
  : end

  Thanks very much for your help Jouni. I came in this morning and ran the crypto map outside_map 1 set reverse-route command and everything started to work. I'm surprised the wizard didn't include that command but maybe it's because I didn't have a default route set.
  However, I now have a new problem. We're working towards migrating from ASA8.2 to 9.1. In order to prepare for this I've created a mock of our environment and am testing that everything works prior to making the changes. I can't get this site to site VPN to work. (The one I posted yesterday was just to get a basic site to site VPN working so that I could go from there)
  I've posted the debug from the ASA to which I'm trying to connect. To my undtrained eye it looks like it completes phase one but fails to match a vpn tunnel map. I'm coming from 10.99.99.99 going to 10.1.1.57
  Hope you can help as I'm going nuts here. Although I will of course understand if you've something better to do with your time than bail me out.
  access-list 1111_cryptomap extended permit ip 10.1.1.0 255.255.255.0 Private1 255.255.255.0
  access-list 1111_cryptomap extended permit ip 10.99.99.0 255.255.255.0 10.1.1.0 255.255.255.0
  crypto map vpntunnelmap 1 match address 1111_cryptomap
  crypto map vpntunnelmap 1 set pfs
  crypto map vpntunnelmap 1 set peer 1.1.1.1
  crypto map vpntunnelmap 1 set transform-set ESP-3DES-MD5
  ciscoasa# debug crypto isakmp 255
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 00 00 00 00 00 00 00 00    |  ...?:...........
  01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 84    |  ................
  00 00 00 01 00 00 00 01 00 00 00 78 01 01 00 03    |  ...........x....
  03 00 00 24 01 01 00 00 80 04 00 02 80 01 00 05    |  ...$............
  80 02 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
  00 00 70 80 03 00 00 28 02 01 00 00 80 04 00 02    |  ..p....(........
  80 01 00 07 80 0e 00 c0 80 02 00 02 80 03 00 01    |  ................
  80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24    |  ..........p....$
  03 01 00 00 80 04 00 02 80 01 00 05 80 02 00 01    |  ................
  80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51 80    |  ..............Q.
  0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5    |  ........>.in.c..
  ec 42 7b 1f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f    |  .B{.....}...S..o
  2c 17 9d 92 15 52 9d 56 0d 00 00 14 4a 13 1c 81    |  ,....R.V....J...
  07 03 58 45 5c 57 28 f2 0e 95 45 2f 00 00 00 18    |  ..XE\W(...E/....
  40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3    |  @H..n...%.....
  c0 00 00 00                                        |  ....
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 00 00 00 00 00 00 00 00
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 244
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 132
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 120
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 3
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 36
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 40
          Transform #: 2
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: AES-CBC
          Key Length: 192
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 36
          Transform #: 3
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: MD5
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 01 51 80
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Oakley proposal is acceptable
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 02 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 03 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal RFC VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Fragmentation VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing IKE SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ISAKMP SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Fragmentation VID + extended capabilities payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 104
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 52
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 1
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 32
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Group Description: Group 2
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 70 80
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  04 10 02 00 00 00 00 00 00 00 01 00 0a 00 00 84    |  ................
  00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3    |  ..*M.c.\......a.
  f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53    |  ...uc#?Y..WKY.`S
  0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa    |  ...+.1.uFW.[L...
  a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0    |  ..J.bh.ULT.ys...
  09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4    |  ...Z?.....M..{|.
  cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb    |  .....0[/O.V.....
  b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05    |  .... .A:........
  fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa    |  ......J.........
  0d 00 00 18 bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04    |  ........7..w....
  de c9 d3 1a b0 6f ee a8 0d 00 00 14 12 f5 f2 8c    |  .....o..........
  45 71 68 a9 70 2d 9f e2 74 cc 01 00 0d 00 00 0c    |  Eqh.p-..t.......
  09 00 26 89 df d6 b7 12 0d 00 00 14 2e 41 69 22    |  ..&..........Ai"
  3a a8 e7 0a cd 38 ba 43 ed f2 db 2c 00 00 00 14    |  :....8.C...,....
  1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00    |  .....e.....T*P..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3
        f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53
        0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa
        a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0
        09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4
        cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb
        b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05
        fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 de c9 d3 1a
        b0 6f ee a8
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        2e 41 69 22 3a a8 e7 0a cd 38 ba 43 ed f2 db 2c
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ISA_KE payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Cisco Unity client VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received xauth V6 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Cisco Unity VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing xauth V6 VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send IOS VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Generating keys for Responder...
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        27 62 7f 00 84 06 59 07 28 a1 05 9f 2a 13 ad ff
        47 10 99 27 68 01 2a c8 06 52 b8 55 0c 7d 82 3d
        31 94 0d 68 aa 98 5e 60 ee 2b 37 a5 0f ca 06 5c
        2a f7 83 bb 2e 8b 53 13 49 8b 4e 4c bf d1 34 67
        df ff 50 5b ab e9 f2 12 cb bd c2 0c ab 95 3a 39
        ca 60 31 7a d4 80 80 b6 0c 85 3e f5 16 fb f5 f8
        27 5d 28 b9 b1 2e b3 35 79 1a 9e f7 fd 13 8f f4
        5f 5d 53 93 74 6d d1 60 97 ca d2 bc b3 b4 e6 03
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        a7 f8 48 c1 98 b4 cb 02 79 de ae 6e 59 3d 23 cb
        4c a1 7b 44
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        99 8a 8b d3 68 02 55 58 44 16 79 1c 51 be 23 8f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 01 00 00 00 00 00 00 00 64 8f a8 6e 03    |  ...........d..n.
  81 b9 24 e5 f0 ba ca 1a 0f fa 5a a1 3c 2d 61 1a    |  ..$.......Z.<-a.
  7d 48 b0 0c 7f 09 bc 82 9b b1 25 b4 f6 04 45 a0    |  }H......%...E.
  13 12 27 ff 7a 41 9f e9 8e 96 c2 80 b9 59 b0 ec    |  ..'.zA.......Y..
  40 e3 95 4d 96 ef eb ce e2 fb d9 45 83 50 0d e7    |  @..M.......E.P..
  9c c7 70 7f                                        |  ..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.2
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        f4 40 eb 6b 55 f0 19 cd 10 81 e6 53 cf 23 75 c5
        45 ab 7f 3d
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
  1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Received DPD VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing ID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing dpd vid payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c    |  ................
  01 11 01 f4 c2 9f 09 02 80 00 00 18 58 00 80 06    |  ............X...
  e9 66 ba 20 1e ba 79 c8 16 85 2d 2f a0 96 b4 e5    |  .f. ..y...-/....
  0d 00 00 0c 80 00 7f ff 80 00 7f ff 00 00 00 14    |  ............
  af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00    |  ....h...k...wW..
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 469762048
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.1
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        58 00 80 06 e9 66 ba 20 1e ba 79 c8 16 85 2d 2f
        a0 96 b4 e5
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 27360 seconds.
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  08 10 20 01 56 e5 a4 1e 00 00 01 4c d2 44 3e 24    |  .. .V......L.D>$
  87 96 a1 fe d1 a3 d3 a3 ed 59 45 2d 53 be 17 9f    |  .........YE-S...
  42 72 2b a3 5f f8 5e 41 5a 62 25 0c 5d bf 6c 2a    |  Br+._.^AZb%.].l*
  e6 e0 1f 77 d5 ed c8 1c 06 cb ef f2 58 07 1d 35    |  ...w........X..5
  a9 d5 7b 86 24 05 88 32 e7 33 6f f2 f7 9d 70 07    |  ..{.$..2.3o...p.
  18 40 51 77 7d 7e 6c 77 55 d9 18 7a 57 5d b9 88    |  .@Qw}~lwU..zW]..
  6c a6 d5 f3 60 5e 14 4f da cb 42 65 88 d6 75 0e    |  l...`^.O..Be..u.
  22 1c bb 89 1f 57 bd c2 f2 46 30 31 30 9c 63 e6    |  "....W...F010.c.
  e2 e9 5b 68 71 f2 ed 69 f1 eb a7 65 2d b2 31 85    |  ..[hq..i...e-.1.
  31 93 0a c1 21 44 57 de ad 8b 79 5e 3d 36 5c 44    |  1...!DW...y^=6\D
  88 23 a8 44 76 2c d6 c2 ed 31 2d 69 b1 50 26 9f    |  .#.Dv,...1-i.P&.
  ee 48 3e c4 dd 0d 40 8f 65 d2 fb 82 19 42 b7 0f    |  .H>[email protected]..
  a0 74 b3 e6 df dd 16 c4 fa ca bf d2 b6 33 b0 5f    |  .t...........3._
  d6 59 4f 6a 84 9e 0d 76 a4 d6 d3 94 67 bc 9c df    |  .YOj...v....g...
  33 20 48 61 d7 80 b6 97 0d a9 32 48 7d 5b 79 8b    |  3 Ha......2H}[y.
  7b bc e0 9b b4 5d ed 49 04 6b 5d 72 d7 5b 82 90    |  {....].I.k]r.[..
  47 e5 65 64 a9 25 ce 2f 3f a2 ca 98 b1 0b ff 01    |  G.ed.%./?.......
  9c 32 64 5c dd 9c 26 71 c4 59 cd 52 da 1f b9 23    |  .2d\..&q.Y.R...#
  32 dd d8 a5 d1 1c 2a d0 0f ef 2b 26 66 c0 14 48    |  2.....*...+&f..H
  52 35 3a ee 36 a6 00 df a5 d6 6b 42                |  R5:.6.....kB
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
  Jun 20 16:29:42 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 56e5a41e
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
    Payload Hash
      Next Payload: Security Association
      Reserved: 00
      Payload Length: 24
      Data:
        78 09 81 d2 54 22 37 a1 b0 a8 53 cf df d4 1e fb
        4a 7b 99 f7
    Payload Security Association
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 64
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 52
        Proposal #: 1
        Protocol-Id: PROTO_IPSEC_ESP
        SPI Size: 4
        # of transforms: 1
        SPI: b2 c1 66 6e
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 40
          Transform #: 1
          Transform-Id: ESP_3DES
          Reserved2: 0000
          Life Type: Seconds
          Life Duration (Hex): 70 80
          Life Type: Kilobytes
          Life Duration (Hex): 00 46 50 00
          Encapsulation Mode: Tunnel
          Authentication Algorithm: MD5
          Group Description: Group 2
    Payload Nonce
      Next Payload: Key Exchange
      Reserved: 00
      Payload Length: 24
      Data:
        1e 43 34 fa cc 9f 77 65 45 7c b6 18 2f 18 fd a9
        86 e6 58 42
    Payload Key Exchange
      Next Payload: Identification
      Reserved: 00
      Payload Length: 132
      Data:
        3c 26 4c 94 68 33 4b 2d ce 37 4a d2 8c 62 ab 6b
        e6 d4 d2 8a df 70 bc 67 62 ca 96 8c 3b 30 cd 58
        54 55 71 0f 9e bc da 63 a9 68 86 fd ba 7a 13 f3
        e9 51 e9 a4 13 b0 b0 20 45 cf 1f 36 1e 95 95 c9
        dd 92 c9 cd 2b 33 2d 4b 7e bd ed d4 ec bf 54 b9
        6e 13 7f 17 dc 28 61 5d 46 fe 1d ba 88 e5 ca 70
        40 59 12 c1 0c 3a 51 7f ae 5f e2 95 73 bc c9 16
        67 ce 38 82 e7 b3 1b 6a 39 05 46 71 b8 da c3 57
    Payload Identification
      Next Payload: Identification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.99.99.0/255.255.255.0
    Payload Identification
      Next Payload: Notification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.1.1.0/255.255.255.0
    Payload Notification
      Next Payload: None
      Reserved: 00
      Payload Length: 28
      DOI: IPsec
      Protocol-ID: PROTO_ISAKMP
      Spi Size: 16
      Notify Type: STATUS_INITIAL_CONTACT
      SPI:
        db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=56e5a41e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote IP Proxy Subnet data in ID Payload:   Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 1...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 1, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 2...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 2, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 3...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 3, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 35...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 35, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 40...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 40, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 41...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 41, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.99.99.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface thus
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, sending notify message
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing blank hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7ecccf15) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55
  IKE Recv RAW packet dump

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• ASA 5505 Site-to-Site VPN to remote dmz access

  I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
  I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
  Lets call:
  Site 1 LAN: 192.168.1.0
  Site 2 LAN: 192.168.2.0
  Site 2 DMZ: 172.16.2.0
  Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
  Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
  I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
  Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
  I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
  Thanks,
  Garrick

  Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
  ASA Version 8.4(1)
  no names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.21.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address -OMITTED- 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.16.21.1 255.255.255.0
  interface Ethernet0/0
  description Outside WAN1 port
  switchport access vlan 2
  interface Ethernet0/1
  description Inside LAN port
  interface Ethernet0/2
  description Inside LAN port
  interface Ethernet0/3
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/4
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/5
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/6
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/7
  description Outside DMZ port
  switchport access vlan 3
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  clock timezone
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name -OMITTED-
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network net_SITE1_lan
  subnet 192.168.1.0 255.255.255.0
  object network net_SITE2_lan
  subnet 192.168.21.0 255.255.255.0
  object network net_SITE1_dmz
  subnet 172.16.1.0 255.255.255.0
  object network net_SITE2_dmz
  subnet 172.16.21.0 255.255.255.0
  object network SITE2_DMZ_WAP
  host 172.16.21.2
  object network 192.168.21.8
  host 192.168.21.8
  description FOR SITE2 WAP
  access-list inside_access_in extended permit ip object net_SITE2_lan any
  access-list inside_access_in extended deny tcp any any eq smtp
  access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
  pager lines 24
  logging enable
  logging buffer-size 16384
  logging buffered notifications
  logging asdm notifications
  no logging message 106015
  no logging message 313001
  no logging message 313008
  no logging message 106023
  no logging message 710003
  no logging message 106100
  no logging message 302015
  no logging message 302014
  no logging message 302013
  no logging message 302018
  no logging message 302017
  no logging message 302016
  no logging message 302021
  no logging message 302020
  flow-export destination inside 192.168.1.35 2055
  flow-export template timeout-rate 1
  flow-export delay flow-create 15
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-643.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SITE2_DMZ_WAP
  nat (dmz,any) static 192.168.21.8
  nat (inside,outside) after-auto source dynamic any interface
  nat (dmz,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication serial console LOCAL
  aaa authorization exec LOCAL
  http server enable
  http server idle-timeout 60
  http 192.168.0.0 255.255.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  snmp-server host inside 192.168.1.35 community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
  crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
  crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
  crypto map CMAP_OUTSIDE 1 set reverse-route
  crypto map CMAP_OUTSIDE interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.0.0 255.255.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  ssh version 2
  console timeout 60
  management-access inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd dns 192.168.2.2 192.168.1.6 interface inside
  dhcpd lease 34000 interface inside
  dhcpd domain -DOMAIN OMITTED- interface inside
  dhcpd update dns both interface inside
  dhcpd address 172.16.21.100-172.16.21.200 dmz
  dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
  dhcpd lease 34000 interface dmz
  dhcpd enable dmz
  priority-queue outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server -NTP SERVERS OMITTED-
  ntp server -NTP SERVERS OMITTED-
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username -OMITTED- password -OMITTED- encrypted privilege 15
  tunnel-group -IP OMITTED- type ipsec-l2l
  tunnel-group -IP OMITTED- general-attributes
  default-group-policy GroupPolicy1
  tunnel-group -IP OMITTED- ipsec-attributes
  ikev1 pre-shared-key *****
  isakmp keepalive threshold 10 retry 5
  class-map netflow-export-class
  match any
  class-map inspection_default
  match default-inspection-traffic
  class-map QoS_RDP
  match access-list QoS_RDP_Server_Branch
  class-map QoS_EA
  match port tcp eq 2000
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    policy-map global_policy
  class inspection_default
    inspect dns
    inspect ftp
    inspect http
    inspect icmp
    inspect icmp error
    inspect ils
    inspect ip-options
    inspect ipsec-pass-thru
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip 
    inspect snmp
    inspect xdmcp
  class netflow-export-class
    flow-export event-type all destination 192.168.1.35
  class QoS_RDP
    priority
  class QoS_EA
    priority
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Logoff

• Remote Access VPN with existing site-to-site tunnel

  Hi there!
  I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
  I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
  The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
  murasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
  *Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
  *Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
  *Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 256
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption AES-CBC
  *Oct 6 08:06:43: ISAKMP: keylength of 128
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash SHA
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct 6 08:06:43: ISAKMP: life type in seconds
  *Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
  *Oct 6 08:06:43: ISAKMP: encryption DES-CBC
  *Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
  *Oct 6 08:06:43: ISAKMP: hash MD5
  *Oct 6 08:06:43: ISAKMP: default group 2
  *Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
  *Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
  *Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
  *Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
  *Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
  *Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
  *Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
  *Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
  *Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
  *Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
  *Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
  *Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
  *Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
  *Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
  *Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
  If I specify my key like a site-to-site VPN key like this:
  crypto isakmp key xxx address 0.0.0.0
  Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
  Configuration:
  ! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
  version 15.2
  no service pad
  service timestamps debug datetime localtime
  service timestamps log datetime localtime
  service password-encryption
  no service dhcp
  hostname murasaki
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login client_vpn_authentication local
  aaa authorization network default local
  aaa authorization network client_vpn_authorization local
  aaa session-id common
  wan mode dsl
  clock timezone AEST 10 0
  clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
  ip inspect name normal_traffic tcp
  ip inspect name normal_traffic udp
  ip domain name router.xxx
  ip name-server xxx
  ip name-server xxx
  ip cef
  ipv6 unicast-routing
  ipv6 cef
  crypto pki trustpoint TP-self-signed-591984024
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-591984024
  revocation-check none
  rsakeypair TP-self-signed-591984024
  crypto pki trustpoint TP-self-signed-4045734018
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-4045734018
  revocation-check none
  rsakeypair TP-self-signed-4045734018
  crypto pki certificate chain TP-self-signed-591984024
  crypto pki certificate chain TP-self-signed-4045734018
  object-group network CLOUD_SUBNETS
  description Azure subnet
  172.16.0.0 255.252.0.0
  object-group network INTERNAL_LAN
  description All Internal subnets which should be allowed out to the Internet
  192.168.1.0 255.255.255.0
  192.168.20.0 255.255.255.0
  username timothy privilege 15 secret 5 xxx
  controller VDSL 0
  ip ssh version 2
  no crypto isakmp default policy
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key xxx address xxxx no-xauth
  crypto isakmp client configuration group VPN_CLIENTS
  key xxx
  dns 192.168.1.24 192.168.1.20
  domain xxx
  pool Client-VPN-Pool
  acl CLIENT_VPN
  crypto isakmp profile Client-VPN
  description Remote Client IPSec VPN
  match identity group VPN_CLIENTS
  client authentication list client_vpn_authentication
  isakmp authorization list client_vpn_authorization
  client configuration address respond
  crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto dynamic-map ClientVPNCryptoMap 1
  set transform-set TRANS_3DES_SHA
  set isakmp-profile Client-VPN
  reverse-route
  qos pre-classify
  crypto map AzureCryptoMap 12 ipsec-isakmp
  set peer xxxx
  set security-association lifetime kilobytes 102400000
  set transform-set AzureIPSec
  match address AzureEastUS
  crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
  bridge irb
  interface ATM0
  mtu 1492
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
  interface Ethernet0
  no ip address
  shutdown
  interface FastEthernet0
  switchport mode trunk
  no ip address
  interface FastEthernet1
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  switchport mode trunk
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  no ip address
  interface GigabitEthernet0
  switchport mode trunk
  no ip address
  interface GigabitEthernet1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Vlan1
  description Main LAN
  ip address 192.168.1.97 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer1
  mtu 1492
  ip address negotiated
  ip access-group PORTS_ALLOWED_IN in
  ip flow ingress
  ip inspect normal_traffic out
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  ip tcp adjust-mss 1350
  dialer pool 1
  dialer-group 1
  ipv6 address autoconfig
  ipv6 enable
  ppp chap hostname xxx
  ppp chap password 7 xxx
  ppp ipcp route default
  no cdp enable
  crypto map AzureCryptoMap
  ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
  no ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat translation timeout 360
  ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
  ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
  ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
  ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
  ip access-list extended AzureEastUS
  permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
  permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
  ip access-list extended CLIENT_VPN
  permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
  ip access-list extended PORTS_ALLOWED_IN
  remark List of ports which are allowed IN
  permit gre any any
  permit esp any any
  permit udp any any eq non500-isakmp
  permit udp any any eq isakmp
  permit tcp any any eq 55663
  permit udp any any eq 55663
  permit tcp any any eq 22
  permit tcp any any eq 5723
  permit tcp any any eq 1723
  permit tcp any any eq 443
  permit icmp any any echo-reply
  permit icmp any any traceroute
  permit icmp any any port-unreachable
  permit icmp any any time-exceeded
  deny ip any any
  ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
  deny tcp object-group INTERNAL_LAN any eq smtp
  deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
  permit tcp object-group INTERNAL_LAN any
  permit udp object-group INTERNAL_LAN any
  permit icmp object-group INTERNAL_LAN any
  deny ip any any
  mac-address-table aging-time 16
  no cdp run
  ipv6 route ::/0 Dialer1
  route-map NoNAT permit 10
  match ip address AzureEastUS CLIENT_VPN
  route-map NoNAT permit 15
  banner motd Welcome to Murasaki
  line con 0
  privilege level 15
  no modem enable
  line aux 0
  line vty 0
  privilege level 15
  no activation-character
  transport preferred none
  transport input ssh
  line vty 1 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  scheduler allocate 60000 1000
  ntp update-calendar
  ntp server au.pool.ntp.org
  end
  Any ideas on what I'm doing wrong?

  Hi Marius,
  I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
  *Oct  9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
  *Oct  9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
  *Oct  9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
  *Oct  9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
  *Oct  9 20:43:16: ISAKMP: local port 500, remote port 49727
  *Oct  9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
  *Oct  9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP (0): ID payload
      next-payload : 13
      type         : 11
      group id     : timothy
      protocol     : 17
      port         : 500
      length       : 15
  *Oct  9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is DPD
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
  *Oct  9 20:43:16: ISAKMP:(0): processing vendor id payload
  *Oct  9 20:43:16: ISAKMP:(0): vendor ID is Unity
  *Oct  9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
  *Oct  9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 256
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption AES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:      keylength of 128
  *Oct  9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash SHA
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption 3DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
  *Oct  9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
  *Oct  9 20:43:16: ISAKMP:      encryption DES-CBC
  *Oct  9 20:43:16: ISAKMP:      hash MD5
  *Oct  9 20:43:16: ISAKMP:      default group 2
  *Oct  9 20:43:16: ISAKMP:      auth pre-share
  *Oct  9 20:43:16: ISAKMP:      life type in seconds
  *Oct  9 20:43:16: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
  *Oct  9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
  *Oct  9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
  *Oct  9 20:43:16: ISAKMP:(0):no offers accepted!
  *Oct  9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
  *Oct  9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
  *Oct  9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
  *Oct  9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Oct  9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
  *Oct  9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
  *Oct  9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
  *Oct  9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
  *Oct  9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
  *Oct  9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
  *Oct  9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
  *Oct  9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
  *Oct  9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Oct  9 20:43:16: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
  *Oct  9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
  *Oct  9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
  *Oct  9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Cisco ASA & Router Site to Site VPN up but not passing traffic

  Dear all,
  Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
  Advance Thanks
  ahossain

  ASA#
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  ==================================================================
  Remote-Router#
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane

• Site-to-Site VPN btw Pix535 and Router 2811, can't get it work

  Hi, every one,  I spent couple of days trying to make  a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
  http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
  #1: PIX config:
  : Saved
  : Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
  PIX Version 8.0(4)
  hostname pix535
  interface GigabitEthernet0
  description to-cable-modem
  nameif outside
  security-level 0
  ip address X.X.138.132 255.255.255.0
  ospf cost 10
  interface GigabitEthernet1
  description inside  10/16
  nameif inside
  security-level 100
  ip address 10.1.1.254 255.255.0.0
  ospf cost 10
  access-list outside_access_in extended permit ip any any
  access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
  access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
  access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  pager lines 24
  ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
  global (outside) 10 interface
  global (outside) 15 1.2.4.5
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 15 10.1.0.0 255.255.0.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
  crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
  crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
  crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer X.X.21.29
  crypto map outside_map 1 set transform-set ESP-DES-SHA
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp identity hostname
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal 3600
  group-policy GroupPolicy1 internal
  group-policy cnf-vpn-cls internal
  group-policy cnf-vpn-cls attributes
  wins-server value 10.1.1.7
  dns-server value 10.1.1.7 10.1.1.205
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value x.com
  username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key secret1
  radius-sdi-xauth
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group cnf-vpn-cls type remote-access
  tunnel-group cnf-vpn-cls general-attributes
  address-pool cnf-8-ip
  default-group-policy cnf-vpn-cls
  tunnel-group cnf-vpn-cls ipsec-attributes
  pre-shared-key secret2
  isakmp ikev1-user-authentication none
  tunnel-group cnf-vpn-cls ppp-attributes
  authentication ms-chap-v2
  tunnel-group X.X.21.29 type ipsec-l2l
  tunnel-group X.X.21.29 ipsec-attributes
  pre-shared-key SECRET
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
  : end
  #2:  Router 2811 config:
  ! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
  ! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname LA-2800
  crypto pki trustpoint TP-self-signed-1411740556
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1411740556
  revocation-check none
  rsakeypair TP-self-signed-1411740556
  crypto pki certificate chain TP-self-signed-1411740556
  certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
    30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
    34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
    C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
    E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
    A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
    35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
    551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
    88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
    054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
    81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
    E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
    310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
    659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
              quit
  crypto isakmp policy 1
  authentication pre-share
  crypto isakmp key SECRET address X.X.138.132 no-xauth
  crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
  crypto map la-2800-ipsec-policy 1 ipsec-isakmp
  description vpn ipsec policy
  set peer X.X.138.132
  set transform-set la-2800-trans-set
  match address 101
  interface FastEthernet0/0
  description WAN Side
  ip address X.X.216.29 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  no mop enabled
  crypto map la-2800-ipsec-policy
  interface FastEthernet0/1
  description LAN Side
  ip address 10.20.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed auto
  no mop enabled
  ip nat inside source route-map nonat interface FastEthernet0/0 overload
  access-list 10 permit X.X.138.132
  access-list 99 permit 64.236.96.53
  access-list 99 permit 98.82.1.202
  access-list 101 remark vpn tunnerl acl
  access-list 101 remark SDM_ACL Category=4
  access-list 101 remark tunnel policy
  access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 110 deny   ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  access-list 110 permit ip 10.20.0.0 0.0.0.255 any
  snmp-server community public RO
  route-map nonat permit 10
  match ip address 110
  webvpn gateway gateway_1
  ip address X.X.216.29 port 443
  ssl trustpoint TP-self-signed-1411740556
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context gateway-1
  title "b"
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  policy group policy_1
     functions svc-enabled
     svc address-pool "WebVPN-Pool"
     svc keep-client-installed
     svc split include 10.20.0.0 255.255.0.0
  default-group-policy policy_1
  gateway gateway_1
  inservice
  end
  #3:  Test from Pix to router:
  Active SA:    1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: X.X.21.29
      Type    : user            Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG2
  >>DEBUG:
  Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
  Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
  #4:  test from router to pix:
  LA-2800#sh  crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id slot status
  X.X.138.132  X.X.216.29  MM_KEY_EXCH       1017    0 ACTIVE
  >>debug
  LA-2800#ping 10.1.1.7 source 10.20.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
  Packet sent with a source address of 10.20.1.1
  Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
  Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
  Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
  Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
  Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
  Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE     
  Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
  Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
  Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
  Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
  Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
  Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
  Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
  Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
  Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
  Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  Oct 22 16:24:34.053: ISAKMP:      encryption DES-CBC
  Oct 22 16:24:34.053: ISAKMP:      hash SHA
  Oct 22 16:24:34.053: ISAKMP:      default group 1
  Oct 22 16:24:34.053: ISAKMP:      auth pre-share
  Oct 22 16:24:34.053: ISAKMP:      life type in seconds
  Oct 22 16:24:34.053: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
  Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
  Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
  Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
  Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
  Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
  Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
  Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
  Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
  Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
  Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
  Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
  Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
  Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
  Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
  Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
  Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
  Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
  Oct 22 16:24:34.221: ISAKMP:received payload type 20
  Oct 22 16:24:34.221: ISAKMP:received payload type 20
  Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
  Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
  next-payload : 8
  type         : 1
  address      : X.X.216.29
  protocol     : 17
  port         : 500
  length       : 12
  Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
  Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
  Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
  Success rate is 0 percent (0/5)
  LA-2800#
  Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
  Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
  Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
  Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
  Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
  Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE     
  Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
  Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
  Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
  Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
  Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
  Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
  Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
  Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
  Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
  Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5  New State = IKE_DEST_SA
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
  Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
  Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
  ****** The PIX is also used    VPN client access  , such as  Cicso VPN client  5.0, working fine ; Router is  used as  SSL VPN server, working too
  I know there are lots of data here, hopefully these data may be useful for   diagnosis purpose.
  Any suggestions and advices are greatly appreciated.
  Sean

  Hi Sean,
  Current configuration:
  On the PIX:
  crypto isakmp policy 5
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer X.X.21.29
  crypto map outside_map 1 set transform-set ESP-DES-SHA
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
  tunnel-group X.X.21.29 type ipsec-l2l
  tunnel-group X.X.21.29 ipsec-attributes
       pre-shared-key SECRET
  On the Router:
  crypto isakmp policy 1
        authentication pre-share
  crypto map la-2800-ipsec-policy 1 ipsec-isakmp
        description vpn ipsec policy    
        set peer X.X.138.132
        set transform-set la-2800-trans-set
        match address 101
  access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
  crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
  crypto isakmp key SECRET address X.X.138.132 no-xauth
  Portu.
  Please rate any helpful posts
  Message was edited by: Javier Portuguez

• Not able to estabislt phase1 of site-to-site VPN

  Hi Experts,
  Site-B(router)------Modem------Internet--------Site-A(router)
  I'm trying to create a Ipsec Site-to-stie VPN between cisco2900 & cisco 861 and below is the scenario. kindly find the connectivity diagram in attached files.
  The issue is there is a modem provided by ISP on Site-B and cisco 861 router is connected back to that modem and the connection is given through RJ11 and there is no ADSL port available on Site-B router.
  Based on above mentioned scenario here is config
  Site B:-
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key CITDENjan2014 address 80.227.xx.xx
  crypto ipsec transform-set ETH-to-Dxb esp-3des esp-md5-hmac
   mode tunnel
  crypto map VPN 1 ipsec-isakmp
   set peer 80.227.xx.xx
   set transform-set ETH-to-Dxb
   match address 110
  interface fa 4
  ip address 192.168.1.254 255.255.255.0
  crypto map VPN
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  ip access-list ext 110
  permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
  Kindly find screenshots of ADSL modem for below information
  Configuration on LAN interface of ADSL modem with dual ip address
  i have done port forwarding on modem, though i haven't done port forwarding before so i'm not sure it's correct or not.
  Site-A router Config:-
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key CITDENjan2014 address 197.156.xx.xx
  crypto ipsec transform-set Dxb-to-ETH esp-3des esp-md5-hmac
   mode tunnel
  crypto map Dxb-to-Nigeria 20 ipsec-isakmp
   set peer 197.156.xx.xx
   set transform-set Dxb-to-ETH
   match address 120
  interface GigabitEthernet0/1
  ip address 80.227.xx.xx 255.255.255.252
  crypto map Dxb-to-Nigeria
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
  access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 101 permit ip 192.168.10.0 0.0.0.255 any
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  Logs on Site-B router:-
  *Apr 16 13:02:06.735: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (N) NEW SA
  *Apr 16 13:02:06.735: ISAKMP: Created a peer struct for 80.227.xx.xx, peer port 1
  *Apr 16 13:02:06.735: ISAKMP: New peer created peer = 0x886B0310 peer_handle = 0x8000001D
  *Apr 16 13:02:06.735: ISAKMP: Locking peer struct 0x886B0310, refcount 1 for crypto_isakmp_process_block
  *Apr 16 13:02:06.735: ISAKMP: local port 500, remote port 1
  *Apr 16 13:02:06.735: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88776A88
  *Apr 16 13:02:06.735: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:02:06.735: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
  *Apr 16 13:02:06.735: ISAKMP:(0): processing SA payload. message ID = 0
  *Apr 16 13:02:06.735: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:02:06.735: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16
  ETH-CIT# 13:02:06.735: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.735: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
  *Apr 16 13:02:06.739: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
  *Apr 16 13:02:06.739: ISAKMP:(0): local preshared key found
  *Apr 16 13:02:06.739: ISAKMP : Scanning profiles for xauth ...
  *Apr 16 13:02:06.739: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Apr 16 13:02:06.739: ISAKMP:      encryption 3DES-CBC
  *Apr 16 13:02:06.739: ISAKMP:      hash MD5
  *Apr 16 13:02:06.739: ISAKMP:      default group 2
  *Apr 16 13:02:06.739: ISAKMP:      auth pre-share
  *Apr 16 13:02:06.739: ISAKMP:      life type in seconds
  *Apr 16 13:02:06.739: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Apr 16 13:02:06.739: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:actual life: 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Acceptable atts:life: 0
  *Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa vpi_length:4
  *Apr 16 13:02:06.739: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  *Apr 16 13:02:06.739: ISAKMP:(0):Returning Actual lifetime: 86400
  *Apr 16 13:02:06.739: ISAKMP:(0)::Started lifetime timer: 86400.
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
  *Apr 16 13:02:06.739: ISAKMP (0): vendor ID is NAT-T v7
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v3
  *Apr 16 13:02:06.739: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  *Apr 16 13:02:06.739: ISAKMP:(0): vendor ID is NAT-T v2
  *Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
  *Apr 16 13:02:06.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Apr 16 13:02:06.739: ISAKMP:(0): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_SA_SETUP
  *Apr 16 13:02:06.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:02:06.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:02:06.739: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2
  *Apr 16 13:02:06.995: ISAKMP (0): received packet from 80.227.xx.xx dport 500 sport 1 Global (R) MM_SA_SETUP
  *Apr 16 13:02:06.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:02:06.999: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3
  *Apr 16 13:02:06.999: ISAKMP:(0): processing KE payload. message ID = 0
  *Apr 16 13:02:07.027: ISAKMP:(0): processing NONCE payload. message ID = 0
  *Apr 16 13:02:07.027: ISAKMP:(0):found peer pre-shared key matching 80.227.xx.xx
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is DPD
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): speaking to another IOS box!
  *Apr 16 13:02:07.027: ISAKMP:(2028): processing vendor id payload
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID seems Unity/DPD but major 241 mismatch
  *Apr 16 13:02:07.027: ISAKMP:(2028): vendor ID is XAUTH
  *Apr 16 13:02:07.027: ISAKMP:received payload type 20
  *Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
  *Apr 16 13:02:07.027: ISAKMP:received payload type 20
  *Apr 16 13:02:07.027: ISAKMP (2028): NAT found, both nodes inside NAT
  *Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3  New State = IKE_R_MM3
  *Apr 16 13:02:07.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
  *Apr 16 13:02:07.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
  *Apr 16 13:02:07.027: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:02:07.027: ISAKMP:(2028):Old State = IKE_R_MM3  New State = IKE_R_MM4
  ETH-CIT#
  ETH-CIT#
  *Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:02:17.027: ISAKMP (2028): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Apr 16 13:02:17.027: ISAKMP:(2028): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:02:17.027: ISAKMP:(2028): sending packet to 80.227.xx.xx my_port 500 peer_port 1 (R) MM_KEY_EXCH
  *Apr 16 13:02:17.027: ISAKMP:(2028):Sending an IKE IPv4 Packet.
  Logs on Site-A router:-
  *Apr 16 13:15:28.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:15:28.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:15:28.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
  *Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:28.609: ISAKMP (1263): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  *Apr 16 13:15:28.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:15:28.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:15:28.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
  DXB-CIT#
  *Apr 16 13:15:38.109: ISAKMP (1263): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:15:38.109: ISAKMP:(1263): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:15:38.109: ISAKMP:(1263): retransmitting due to retransmit phase 1
  *Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:38.609: ISAKMP (1263): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  *Apr 16 13:15:38.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:15:38.609: ISAKMP:(1263): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:15:38.609: ISAKMP:(1263):Sending an IKE IPv4 Packet.
  DXB-CIT#
  *Apr 16 13:15:47.593: ISAKMP: set new node 0 to QM_IDLE      
  *Apr 16 13:15:47.593: ISAKMP:(1263):SA is still budding. Attached new ipsec request to it. (local 80.227.xx.xx, remote 197.156.xx.xx)
  *Apr 16 13:15:47.593: ISAKMP: Error while processing SA request: Failed to initialize SA
  *Apr 16 13:15:47.593: ISAKMP: Error while processing KMI message 0, error 2.
  *Apr 16 13:15:48.609: ISAKMP:(1263): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:15:48.609: ISAKMP:(1263):peer does not do paranoid keepalives.
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 197.156.xx.xx)
  *Apr 16 13:15:48.609: ISAKMP: Unlocking peer struct 0x23193AD4 for isadb_mark_sa_deleted(), count 0
  *Apr 16 13:15:48.609: ISAKMP: Deleting peer node by peer_reap for 197.156.xx.xx: 23193AD4
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1134682361 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 680913363 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):deleting node 1740991762 error FALSE reason "IKE deleted"
  *Apr 16 13:15:48.609: ISAKMP:(1263):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  *Apr 16 13:15:48.609: ISAKMP:(1263):Old State = IKE_I_MM5  New State = IKE_DEST_SA
  DXB-CIT#
  DXB-CIT#shoc  cry
  DXB-CIT#sho cry isa sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  197.156.xx.xx  80.227.xx.xx   MM_NO_STATE       1263 ACTIVE (deleted)
  IPv6 Crypto ISAKMP SA
  *Apr 16 13:16:17.593: IPSEC(key_engine): request timer fired: count = 2,
    (identity) local= 80.227.xx.xx:0, remote= 197.156.xx.xx:0,
      local_proxy= 192.168.10.0/255.255.255.0/256/0,
      remote_proxy= 192.168.1.0/255.255.255.0/256/0
  *Apr 16 13:16:17.609: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 80.227.xx.xx:500, remote= 197.156.xx.xx:500,
      local_proxy= 192.168.10.0/255.255.255.0/256/0,
      remote_proxy= 192.168.1.0/255.255.255.0/256/0,
      protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
  *Apr 16 13:16:17.609: ISAKMP:(0): SA request profile is (NULL)
  *Apr 16 13:16:17.609: ISAKMP: Created a peer struct for 197.156.xx.xx, peer port 500
  *Apr 16 13:16:17.609: ISAKMP: New peer created peer = 0x23193AD4 peer_handle = 0x80001862
  *Apr 16 13:16:17.609: ISAKMP: Locking peer struct 0x23193AD4, refcount 1 for isakmp_initiator
  *Apr 16 13:16:17.609: ISAKMP: local port 500, remote port 500
  *Apr 16 13:16:17.609: ISAKMP: set new node 0 to QM_IDLE      
  *Apr 16 13:16:17.609: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 270A2FD0
  *Apr 16 13:16:17.609: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  *Apr 16 13:16:17.609: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-07 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-03 ID
  *Apr 16 13:16:17.609: ISAKMP:(0): constructed NAT-T vendor-02 ID
  *Apr 16 13:16:17.609: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  *Apr 16 13:16:17.609: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  *Apr 16 13:16:17.609: ISAKMP:(0): beginning Main Mode exchange
  *Apr 16 13:16:17.609: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
  *Apr 16 13:16:17.609: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:17.865: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_NO_STATE
  *Apr 16 13:16:17.865: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:16:17.865: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  *Apr 16 13:16:17.865: ISAKMP:(0): processing SA payload. message ID = 0
  *Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:16:17.869: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:17.869: ISAKMP:(0): local preshared key found
  *Apr 16 13:16:17.869: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profile-1
  *Apr 16 13:16:17.869: ISAKMP:(0): Authentication by xauth preshared
  *Apr 16 13:16:17.869: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
  *Apr 16 13:16:17.869: ISAKMP:      encryption 3DES-CBC
  *Apr 16 13:16:17.869: ISAKMP:      hash MD5
  *Apr 16 13:16:17.869: ISAKMP:      default group 2
  *Apr 16 13:16:17.869: ISAKMP:      auth pre-share
  *Apr 16 13:16:17.869: ISAKMP:      life type in seconds
  *Apr 16 13:16:17.869: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  *Apr 16 13:16:17.869: ISAKMP:(0):atts are acceptable. Next payload is 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:actual life: 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Acceptable atts:life: 0
  *Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa vpi_length:4
  *Apr 16 13:16:17.869: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  *Apr 16 13:16:17.869: ISAKMP:(0):Returning Actual lifetime: 86400
  *Apr 16 13:16:17.869: ISAKMP:(0)::Started lifetime timer: 86400.
  *Apr 16 13:16:17.869: ISAKMP:(0): processing vendor id payload
  *Apr 16 13:16:17.869: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
  *Apr 16 13:16:17.869: ISAKMP (0): vendor ID is NAT-T RFC 3947
  *Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  *Apr 16 13:16:17.869: ISAKMP:(0): sending packet to 197.156.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP
  *Apr 16 13:16:17.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:17.869: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:16:17.869: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  *Apr 16 13:16:18.157: ISAKMP (0): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_SA_SETUP
  *Apr 16 13:16:18.157: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  *Apr 16 13:16:18.157: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  *Apr 16 13:16:18.157: ISAKMP:(0): processing KE payload. message ID = 0
  *Apr 16 13:16:18.181: ISAKMP:(0): processing NONCE payload. message ID = 0
  *Apr 16 13:16:18.181: ISAKMP:(0):found peer pre-shared key matching 197.156.xx.xx
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is Unity
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.181: ISAKMP:(1264): vendor ID is DPD
  *Apr 16 13:16:18.181: ISAKMP:(1264): processing vendor id payload
  *Apr 16 13:16:18.185: ISAKMP:(1264): speaking to another IOS box!
  *Apr 16 13:16:18.185: ISAKMP:received payload type 20
  *Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
  *Apr 16 13:16:18.185: ISAKMP:received payload type 20
  *Apr 16 13:16:18.185: ISAKMP (1264): NAT found, both nodes inside NAT
  *Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  *Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4  New State = IKE_I_MM4
  *Apr 16 13:16:18.185: ISAKMP:(1264):Send initial contact
  *Apr 16 13:16:18.185: ISAKMP:(1264):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
  *Apr 16 13:16:18.185: ISAKMP (1264): ID payload
  next-payload : 8
  type         : 1
  address      : 80.227.xx.xx
  protocol     : 17
  port         : 0
  length       : 12
  *Apr 16 13:16:18.185: ISAKMP:(1264):Total payload length: 12
  *Apr 16 13:16:18.185: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:16:18.185: ISAKMP:(1264):Sending an IKE IPv4 Packet.
  *Apr 16 13:16:18.185: ISAKMP:(1264):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  *Apr 16 13:16:18.185: ISAKMP:(1264):Old State = IKE_I_MM4  New State = IKE_I_MM5
  DXB-CIT#
  *Apr 16 13:16:28.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:16:28.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:16:28.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
  *Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:16:28.657: ISAKMP (1264): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  *Apr 16 13:16:28.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:16:28.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  DXB-CIT#
  *Apr 16 13:16:28.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#u all
  All possible debugging has been turned off
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:16:38.157: ISAKMP (1264): received packet from 197.156.xx.xx dport 500 sport 500 Global (I) MM_KEY_EXCH
  *Apr 16 13:16:38.157: ISAKMP:(1264): phase 1 packet is a duplicate of a previous packet.
  *Apr 16 13:16:38.157: ISAKMP:(1264): retransmitting due to retransmit phase 1
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1134682361
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 680913363
  *Apr 16 13:16:38.609: ISAKMP:(1263):purging node 1740991762
  *Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH...
  *Apr 16 13:16:38.657: ISAKMP (1264): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  DXB-CIT#
  *Apr 16 13:16:38.657: ISAKMP:(1264): retransmitting phase 1 MM_KEY_EXCH
  *Apr 16 13:16:38.657: ISAKMP:(1264): sending packet to 197.156.xx.xx my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
  *Apr 16 13:16:38.657: ISAKMP:(1264):Sending an IKE IPv4 Packet.

  Hello salman.abid,
  its hard to troubleshoot if there is some 3th party device in way. I tried your config in my lab and I established IPSec successfuly.
  So it seems that modem would do some problems during IPSec establishment.
  Basically if you are configuring L2L IPSec VPN so there is few things what have to match
  1. check cryptomap, transform sets etc. if they match on both sides. Especially preshared keys.
  2. permit protocol ESP, ISAKMP (UDP 500), and NAT-T (UDP 4500) if applicable.
  3. check default GW is configured properly
  4. check NAT configuration
  Regarding crypto ipsec nat-transparency udp-encapsulation it could help you but also enable UDP/4500 port.
  HTH
  Jan