PIX515 to ASA5510 8.4(5) migration

Hi, We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. Thanks.
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
password lines removed
hostname PIX515
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.173 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.171 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 53612
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq 587
access-list 100 permit tcp any host xxx.xxx.xxx.170 eq pop3
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.174 eq 4660
pager lines 24
logging trap informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.170 255.255.255.248
ip address inside yyy.yyy.yyy.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.xxx.171 https yyy.yyy.yyy.7 https
static (inside,outside) tcp xxx.xxx.xxx.170 https yyy.yyy.yyy.16 https
static (inside,outside) tcp xxx.xxx.xxx.170 smtp yyy.yyy.yyy.16 smtp
static (inside,outside) tcp xxx.xxx.xxx.170 53612 yyy.yyy.yyy.16 3389
static (inside,outside) tcp xxx.xxx.xxx.170 587 yyy.yyy.yyy.16 587
static (inside,outside) tcp xxx.xxx.xxx.170 pop3 yyy.yyy.yyy.16 pop3
static (inside,outside) tcp xxx.xxx.xxx.174 https yyy.yyy.yyy.20 https
static (inside,outside) tcp xxx.xxx.xxx.174 www yyy.yyy.yyy.20 www
static (inside,outside) tcp xxx.xxx.xxx.174 3389 yyy.yyy.yyy.20 3389
static (inside,outside) tcp xxx.xxx.xxx.174 4660 yyy.yyy.yyy.20 4660
static (inside,outside) tcp xxx.xxx.xxx.173 https yyy.yyy.yyy.15 https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:a56326d3418814261280ec410c8e7a63
: end
PIX515(config)#
Proposed ASA 5510 configuration
ASA5510(config)# sh run
: Saved
ASA Version 8.4(5)
hostname ASA5510
domain-name ciscopix.com
enable password zaU1v9tMuOQsj2hW encrypted
passwd zaU1v9tMuOQsj2hW encrypted
names
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.xxx.170 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address yyy.yyy.yyy.254 255.255.255.0
interface Ethernet0/2
shutdown
nameif intf2
security-level 0
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa845-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ciscopix.com
object network intranet-https
host yyy.yyy.yyy.7
object network propalms-https
host yyy.yyy.yyy.20
object network webmail-https
host yyy.yyy.yyy.16
object network webmail-smtp
host yyy.yyy.yyy.16
object network webmail-rdp53612
host yyy.yyy.yyy.16
object network webmail-smtp587
host yyy.yyy.yyy.16
object network webmail-pop3
host yyy.yyy.yyy.16
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network propalms-http
host yyy.yyy.yyy.20
object network propalms-rdp
host yyy.yyy.yyy.20
object network propalms-4660
host yyy.yyy.yyy.20
description Required by ProPalms App.
object network infonet-https
host yyy.yyy.yyy.15
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host yyy.yyy.yyy.7 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq smtp
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq 587
access-list 100 extended permit tcp any host yyy.yyy.yyy.16 eq pop3
access-list 100 extended permit tcp any host yyy.yyy.yyy.15 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq https
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq www
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 3389
access-list 100 extended permit tcp any host yyy.yyy.yyy.20 eq 4660
pager lines 24
logging trap informational
logging asdm informational
logging host inside yyy.yyy.yyy.20
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
object network intranet-https
nat (inside,outside) static xxx.xxx.xxx.171 service tcp https https
object network propalms-https
nat (inside,outside) static xxx.xxx.xxx.174 service tcp https https
object network webmail-https
nat (inside,outside) static interface service tcp https https
object network webmail-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network webmail-rdp53612
nat (inside,outside) static interface service tcp 3389 53612
object network webmail-smtp587
nat (inside,outside) static interface service tcp 587 587
object network webmail-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj_any
nat (inside,outside) dynamic interface
object network propalms-http
nat (inside,outside) static xxx.xxx.xxx.174 service tcp www www
object network propalms-rdp
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 3389 3389
object network propalms-4660
nat (inside,outside) static xxx.xxx.xxx.174 service tcp 4660 4660
object network infonet-https
nat (inside,outside) static xxx.xxx.xxx.173 service tcp https https
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
http server enable
http yyy.yyy.yyy.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet yyy.yyy.yyy.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:016f67d8cb4e77dcbca7c041d1af6a35
: end
ASA5510(config)#

Hi,
The new version of the configurations seem ok to me atleast. Unless I missed something.
One thing I would do is remove this NAT
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
And configure it with a similiar
nat (inside,outside) after-auto source dynamic any interface
To my understanding this should move the default PAT configuration to the very end of the NAT rules.
You also seem to have an 8 IP address block from the ISP (of which 2 arent usable and 1 is used for "outside" interface IP address). You dont seem to be using all of the public IP addresses yet (even in the older configuration). You are doing Port Forward configurations even though every public IP address is used for only 1 corresponding LAN IP address. Usually Port Forwarding is done when you want to "split" one public IP address between several LAN hosts/servers
I would think you could at this point actually just configure normal Static NAT between the public IP address and the LAN host to avoid all the different Port Forward configurations and simply make 1 Static NAT per LAN server and open the ports you need on the access-list. The NAT configurations using the "outside" interface IP address would naturally have to be kept as they are now otherwise you would need to change public IP address.
Then again there is nothing stopping from keeping the original setup you had on the PIX. And in this case it might be even better for you to avoid any more changes to make the device change/update as simple as possible.
If you dont want to start changing anything at this point, the configuration should be fine.
Do notice that there is a possibility that when you replace the PIX with the ASA there might be some old ARP information on the connected devices or ISP devices that might cause some connection problems (if they dont update). Since IP address is staying the same but the replacement of device means the MAC/Hardware address of each public IP address changes.
- Jouni

Similar Messages

Migrating from ASA5510(8.4.1) to 5525x (9.1x).. Should I be NAT worried?

I recently attempted to move from a ASA 5510 over to a spare 5520 running the same code (8.4.1) and ran into a problem with NAT to the Internet. I had set the same public IP address due to several vendors accepting only this certain address. So, when I migrated to the new 5520, NAT on this address did not work, meaning no traffic outbound would pass. However, if I change to another Public address no problems with traffic passing as expected.
So my question is, I am migrating to a scratch-built 5525x using 9.1x code and will be using the same Public NAT address as on the 5510. Should I expect traffic to pass as expected or do I need to migrate to another address? Logic is telling me there should be no issues, but recent experience is making me jittery...
Thanks for any comments
Dave

Your recent experience may not have had anything to do with NAT per se even though that's how it manifested itself most obviously to you.
I suspect it may have had to do with your upstream gateway's arp cache. I have often seen when replacing hardware that we need to ask the ISP to flush their ARP cache so they can re-learn the new MAC address association to your pre-existing IP.
In any case, NAT should not be adversely affected when migrating from 8.4(1) to 9.1(x).

Migrating from an SA520 to an ASA5510

I am in the process of migrating one of our offices to an ASA from an SA520. I am having trouble understanding the firewall/NAT rules in the GUI of the SA since I have always used IOS (and CLI). I'm relatively new to the company and there is little documentation.
I notice there appears to be some static NATs confgured for some of our internal servers for external access, but I was hoping to replicate this via an AnyConnect deployment that will allow remote users to open a web browser to internal servers once they connect via VPN. Not to mention, when I attempt to open a web browser to the IPs which appear to be NAT'd in the SA, I get prompted with the login for the SA management GUI, so I don't think the SSL VPN was configured properly to begin with. (Our teleworkers need this ability, although they don't use it often)
Is there any way to get an IOS interpretation of the SA configurations, or should I treat this as a brand new ASA implementation.
Has anyone had similar migrations, and pitfalls I should look out for? The GUI of the SA is so difficult to navigate, it makes CUCM seem like a treat.
Thanks for all your help in advance!

Hi hleybovich, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. The SA is a small business device, for this reason it doesn´t have IOS commands, and doesn´t exist an IOS interpretation, but the good new is that you can use a Cisco tool called GuideMe, is made for small business products, and your device is in this category, you can use this address for accessing the tool: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?alt1=&pid=4&eroute=Super , is very easy to use, just complete the 3 spaces on this way:
Select a category: (Select the device type on request), e.g. Security appliances
Enter model: (Type the model on request), e.g. SA540
Question: (Type what you want to know about the device), e.g. VPN Anyconnect
And it'll be showing all the information you need about what you wrote.
I hope you find this answer useful,
“Please rate useful posts so other users can benefit from it”
Greetings,
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

Secondary IP address in ASA5510/PIX515e

Hi All,
Just want to know if there is a way to configure secondary IP address on the outside/public interface of ASA/PIX.
One of our clients have used most of their IP on the subnet given by their ISP. They use those IP's for statically
mapping to Servers inside their local LAN. Thus, they requested another block/subnet from their ISP. They will also
use this for static mapping/port forwarding to other servers in their network. The current UTM they are using is allowing this
but they would like to use ASA/PIX as their main Firewall. Is this even possible or is there
a workaround for this kind of scenario?
Many Thanks!

Lloyd
Pix/ASA firewalls do not support using secondary addressing on an interface. However the good news is that they don't need to.
As long as the ISP routes the new block of IP addresses to the outside interface of your firewall then you simply use the new block of IPs as you have the existing block ie. you set up static translations and allow access via the access-list.
The new IP block does not actually have to be allocated to an interface.
Jon

ASA5505 - ASA5510 Migration Steps for Newbie

Hi,
We're currently using a CISCO ASA5505 running ASA 9.1(2) and ASDM 7.1(3) here in our head offices for a very simple VPN endpoint for a few mobile users.
I've recently gotten a request to set up a site-to-site VPN with the head offices of another company that all of our users will be using to communicate back and forth between the two offices. We're about 50 people, and they are about 180, if I understand correctly.
My impression is that the 5505 won't handle this (in particular the 10 internal hosts will be an issue). They are using an ASA 5510 for their end of the connection. The time frame on this is very, very short (~2 weeks). I am not very experienced with Cisco devices; I did set up our 5505, but it took a fair amount of fiddling and exploration, and I'm not sure I have the time to spend a lot of that before we start exploring the configuration of this S2SVPN.
What I'd like to do, therefore, is a straight up in-place upgrade of the 5505, where we purchase a 5510, dump the config from the 5505 and take it offline, then bring up the 5510 running that same config.
I'm hoping that someone would be gracious enough to help me with the steps I need in order to accomplish this, and if anything will need to be edited / changed in the config. between the two devices, perhaps point me at any pitfalls I need to be aware of? If that could be done, it would be hugely helpful.
Thanks in advance!

Hello Irfon-Kim,
In fact that can be done with no problem at all,
I mean if they are going to be running the same version the configuration will be the same (except for the fact that the ASA 5510 uses physical interfaces as L3 interfaces while the 5505 uses L2 interfaces).
So configuration speaking that would be the only difference (Interface setup)
Please check your inbox on this community
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura

Exchange 2010 OWA and ASA5510 - Wrong URL?

I'm in the final steps of migrating my customer's Exchange server from Exchange 2003 to Exchange 2010. I've got all the mailboxes moved and am testing the OWA access. Under Exchange 2003, the internal/external users were able to access OWA thru the following URL:
http://mail.mycustomer.org/exchange
It would pop up a login box, they'd put in their domain info and get connected to their mailbox.
After migrating to Exchange 2010, the user had to change the URL to httpS://mail.mycustomer.org/exchange or httpS://mail.mycustomer.org/owa, but it worked internally. When I test it externally, I get the following page:
https://mail.mycustomer.org/+CSCOE+/wrong_url.html
I have next to no experience with Cisco devices, management, and/or maintenance, but what I've found in my research points to an issue w/ our ASA5510 and the port 443 required by the SSL connection to the Exchange server. Any help to resolve this issue so that my external users will be able to access OWA would be greatly appreciated. Thanks.

Hi,
Can you check the output of the following commands
show run http
show run webvpn
These are basically the 2 services that utilize the port TCP/443 port on the ASA.
The first commands output will show some settings related to the ASDM which is the GUI for the ASA management. The second command output will show settings related to the SSL VPN.
Both of these services can be modified to use some other port than TCP/443 which would leave the port free for your server.
I assume that you only have one public IP address at your disposal which is configured on the ASA interface and you have no extra public IP address? Otherwise this should be no problem at all.
Naturally if you change the port on ASDM or SSL VPN it will cause some inconvinience for users of those services. Ofcourse you have the option to map the local TCP/443 port of the server to some other public port like TCP/444 but again this might cause inconvinience to the users also.
- Jouni

ASA5510 Failover MPLS and DLL

Hello All,
I would just like to ask if it is possible for the ASA5510 to do failover?
Our Client is using a single ASA5510 and currently their WAN link is using a dedicated leased line connection and now they are going to use an mpls connection and they would like to make the existing leased line connection to be their backup line.
How would I go about doing this? Would I just do some routing changes and add metrics to it? Do I need to have a heartbeat so that the failover would take place?
Or doing a failover with two wan links (MPLS and DLL) on a single ASA would not work?
Thank you for your reply! Have a nice day!
lawrence

If I understand correctly, your company will migrate to MPLS with a new circuit, and their existing internet link they will like to keep it, company want to use old circuit as a backup while the MPLS link would be their primary, if this is correct you can try this link..if new MPLS is one ISP provider and old lease line is different ISP.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

How can I Migrate/Split itunes/icloud account for a large family now that they have family sharing

Ok, now that Apple has finally come out with family sharing I need to get things sorted out and I think it is going to be a mess. I have 6 family members (my spouse and 4 children) all sharing/using one itunes account. For parental reasons this made perfect sense. Now with the the advent of family sharing and such we have alot of sorting and migrating to do and I am very unsure how to go about it. Here is what we have.
Myself - I have a 64GB iPad 3 and a 64GB iPhone 5
Spouse - 64GB iPhone 5
Children - x4 16GB iPhone 5C (pink, blue, green, and a yellow)
We have had one itunes account now for several years, we used to have x4 16GB iphone 4's and a 16GB iPod touch 4 so we needed it to be shared at the time. We all have different Game Center ID's and Facetime/iMessages are all setup to the phone numbers (aside from mine which also uses the itunes e-mail). We currently have 1 upgraded icloud account with 200GB of storage on it (love the new tiers). So here are the questions.
1) How do I go about using and isolating all the devices so they can all use the iCloud storage? Right now if I try and setup backups by device under the what to backup there is no simple "Full Backup" option, they have all the categories separated. I cannot backup my daughters contacts without forcing a merging of them and so on. Same thing with Documents and Data. Would I need to setup a different iCloud account for each device now?
2) iTunes Music/App purchases. Now that they have a family sharing function I am assuming it would be a good time to separate all the devices (aside from my personal iPad/iPhone). If I understand correctly we need to setup a new itunes account for each and link them with family sharing, does this then allow us to disperse/move items from a singular to the multiple account (at least a one time option to move around) or would it simply be shared off the original account? My daughter for example will be 18 next summer and as such no longer under our care. How do we move her items to her account? She has a lot of purchased Music. Now keep in mind I am talking about an account for someone who was 12 when she had her first device and as such needed to be under her parents.
I just want to state that repurchasing things is NOT an option, and to be frank, according to Canadian laws pertaining to *licensing* we actually own the product if we paid for it and have the right to transfer the ownership thereof. This issue went through the courts regarding used copies of OEM editions of Microsoft Windows several years ago and they closed the legal *license* vs ownership separation.

Go to appleid.apple.com to manage the ID, sign in and select to the Name, ID and Email Addresses section, then change the birth date on the bottom right. At the present time you may not be able to enter the correct birth date, but others have had success changing the year to 2000, or the date to 1/1/2001, both of which will have child ID status.

ASA5510 VPN not working after upgrade from 8.2 to 8.3

Hi,
I have recently upgraded a customer ASA5510 to version 8.3.
After upgrade web access etc is working fine however VPN is down.
The config looks very different after the upgrade plus what looks to be duplicate entries.
I suspect its an access list issue but I'm not sure.
If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ******
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ******
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553

Hi,
Many thanks for your reply.
Finally got access to implement your suggestions.
Initially none of the VPN's were up.
After making the change the two VPN's came up.
However only data via the first VPN is possible.
Accessing resources on the 10.1.2.0 network is still not possible.
Attached is the latest config, any input is greatly appreciated;
hostname ciscoasa
domain-name default.domain.invalid
enable password NvZgxFP5WhDo0hQl encrypted
passwd FNeDAwBbhVaOtVAu encrypted
names
dns-guard
interface Ethernet0/0
nameif Outside
security-level 0
ip address 217.75.8.203 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj-192.168.1.2-04
host 192.168.1.2
object network obj-192.168.1.7-04
host 192.168.1.7
object network obj-192.168.1.0-02
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0-02
subnet 192.168.2.0 255.255.255.0
object network obj-10.1.2.0-02
subnet 10.1.2.0 255.255.255.0
object network obj-192.168.1.224-02
subnet 192.168.1.224 255.255.255.240
object network obj-192.168.1.9-02
host 192.168.1.9
object network obj-192.168.1.2-05
host 192.168.1.2
object network obj-192.168.1.103-02
host 192.168.1.103
object network obj-192.168.1.7-05
host 192.168.1.7
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj-192.168.1.2-02
object-group network obj-192.168.1.7-02
object-group network obj-192.168.1.0-01
object-group network obj-192.168.2.0-01
object-group network obj-10.1.2.0-01
object-group network obj-192.168.1.224-01
object-group network obj-192.168.1.9-01
object-group network obj-192.168.1.2-03
object-group network obj-192.168.1.103-01
object-group network obj-192.168.1.7-03
object-group network obj-192.168.1.2
object-group network obj-192.168.1.7
object-group network obj-192.168.1.0
object-group network obj-192.168.2.0
object-group network obj-10.1.2.0
object-group network obj-192.168.1.224
object-group network obj-192.168.1.9
object-group network obj-192.168.1.2-01
object-group network obj-192.168.1.103
object-group network obj-192.168.1.7-01
object-group network obj_any
object-group network obj-0.0.0.0
object-group network obj_any-01
object-group service MonitcomUDP udp
port-object range 3924 3924
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200
access-list Outside_access_in remark Monitcom
access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900
access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260
access-list Outside_access_in remark ESS Access
access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https
access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www
access-list Outside_access_in extended permit udp any any eq 4500 inactive
access-list Outside_access_in extended permit udp any any eq isakmp inactive
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Outside_access_in remark Allow webmail access
access-list Outside_access_in remark Allow Hansa Live access
access-list Outside_access_in remark Monitcom
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark ESS Access
access-list Outside_access_in remark Allow TMS Web Access
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit any
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240
access-list global_access extended permit ip any any
access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-647.bin
asdm location 192.168.1.208 255.255.255.252 Inside
asdm location 192.168.1.103 255.255.255.255 Inside
asdm location 192.168.1.6 255.255.255.255 Inside
asdm location 192.168.1.7 255.255.255.255 Inside
asdm location 192.168.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02
nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02
nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional
nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24
object network obj-192.168.1.2-04
nat (Outside,Inside) static 217.75.8.204
object network obj-192.168.1.7-04
nat (Outside,Inside) static 217.75.8.206
object network obj-192.168.1.0-02
nat (Inside,Outside) dynamic interface
object network obj-192.168.1.9-02
nat (Inside,Outside) static 217.75.8.201
object network obj-192.168.1.2-05
nat (Inside,Outside) static 217.75.8.204
object network obj-192.168.1.103-02
nat (Inside,Outside) static 217.75.8.205
object network obj-192.168.1.7-05
nat (Inside,Outside) static 217.75.8.206
nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DellServerAAA protocol radius
aaa-server DellServerAAA (Inside) host 192.168.1.4
key test
http server enable
http 62.17.29.2 255.255.255.255 Outside
http 82.141.224.155 255.255.255.255 Outside
http 63.218.54.8 255.255.255.252 Outside
http 213.79.44.213 255.255.255.255 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 89.127.172.29
crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer 89.105.114.98
crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity key-id nattingreallymatters
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 82.141.224.155 255.255.255.255 Outside
ssh 62.17.29.2 255.255.255.255 Outside
ssh 213.79.44.213 255.255.255.255 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
anyconnect-essentials
svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
wins-server value 192.168.1.31
dns-server value 192.168.1.31
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-tunnel
default-domain value freefoam.ie
username freefoam password JLYaVf7FqRM2LH0e encrypted
username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15
username cork password qbK2Hqt1H5ttJzPD encrypted
tunnel-group 193.114.70.130 type ipsec-l2l
tunnel-group 193.114.70.130 ipsec-attributes
pre-shared-key ************
tunnel-group 89.127.172.29 type ipsec-l2l
tunnel-group 89.127.172.29 ipsec-attributes
pre-shared-key ************
tunnel-group 89.105.114.98 type ipsec-l2l
tunnel-group 89.105.114.98 ipsec-attributes
pre-shared-key ************
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPool
authentication-server-group DellServerAAA
default-group-policy RemoteVPN
tunnel-group RemoteVPN webvpn-attributes
group-alias Anyconnect enable
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key c0nnect10nParameter$
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e

AR Open/Closed Invoices Migration Help

Hello Experts,
We have a data migration requirement for AR invoices from a legacy system to Oracle.
We have both open and closed invoices. Can anyone of you help in giving the steps to be followed? This is for India AR Invoices. Expecting a quick response and it would be of great help to us! This is in 11.5.10
Thanks,
Janani Sekar
Edited by: user11981778 on 20-Dec-2012 20:32

Hi,
Pl. populate the following open interfaces from your legacy data and then run the 'Autoinvoice Master Program'
(1) RA_INTERFACE_LINES_ALL
(2) ra_interface_distributions_all
For open invoices the AR_PAYMENT_SCHEDULES_ALL.STATUS sholuld be equal to 'OP' .
Pl. visit following link also for more info.
http://bhaskarreddyapps.blogspot.in/2011/10/ar-invoice-interface.html
HTH
Sanjay

Migrate all Open Sales Orders From Legacy System (SAP) To SAP System using

Hi Experts,
             I've to Migrate all Open Sales Orders From Legacy System (SAP) To SAP System using Business Objects with a new SALES ORDER DOCUMENT NUMBER referencing the older one.
           I'll get all the required data with field in an excel file.
             Does any standard transaction exist for it ? Or how to go ahead with it ?
Thanks and regards,
Jyoti Shankar

Hi
If you are checking for CREATE option then Sales Doc Type
For more Info goto SWO1 transaction -> BUS2032 --> DIsplay --> Execute --> There SELECT the method which you want to perform... There you can fine the MANDATORY parameters also....
Or in DISPLAY mode PLACE Cursor on the Required Method and CLick the PARAMETERS button on toolbar...
That will show the MANDATORY parameters...
Reward if helpful....
Message was edited by:
        Enter the Dragon

Migrating open POs and GR/IR clearing account balance

Hello gurus,
I've got the following problem concerning migration of open POs:
For example: In my source system there is a PO for 10 pcs. of some material. There has been a goods receipt for 5 pcs. (200$ each).
Now, when I import this order and the corresponding purchase order history into my target system (using LSMW), the target system creates the order, a material document for 5 pcs. and an account document.
But of course, our FI-team also has to migrate the balance of the 'old' GR/IR clearing account.
So, the balance in the source system is <> 0 (e.g. 1000$), because the 5 pcs. have been delivered but there has been no invoice receipt yet.
This balance is imported into the new system and then the open orders are migrated, generating an account document and thus, the balance is 2000$ afterwards.
This obviously is not correct, so I am sure that I am missing something, just what?
Thanks
Alicia

Hi,
1. There will be an open PO uploaded for 5 qty and price 200$ each
2. Opening Balance of Material - 5 qty and corresponding value to Stock A/c - 1000$
3. Also there will be Vendor Balances uploaded in the system as 1000$ against the invoice. (If the invoice is still expected then chec with FI Users if they can get invoice form vendor)
if no then do not upload initial stock entry of step2, create a PO of 10 qty and then do GR in system (SAP).

[Migrating from 6i to 11G] HTML viewer

Hi,
There used to be a program to display the output of a report in 6i. When the report was displayed, it used page breaks (ESC characters) to allow the user to view the next page and print a range of pages from a report.
In 11G, these control characters are not interpreted by Internet Explorer:
>
height 85
width 94
before report esc "&l%%0O" esc "&l8D" esc "(s12H"
after report esc "E"
after page control(L)
[End Quote]
So how could I migrate the printer definition files in order to get after page control in 11G?
Many thanks for your help.

As my old college profession used to say - "The only stupid question is the one that doesn't get asked!" Forms 11g only supports web deployment. This means you will need the OAS with the Forms and Reports Services installed as well. Typically, the setup is three tiered ( 1 server = Database, 1 server = Application Server, 1 server = Infrastructure server ). You don't have to set up the technology stack multitiered - all three could reside on the same server or you could have the all three on the same machine but is not recommended. I would at least have the database on a server seperate from OAS.
Here are a few links to get you started.
Oracle Documentation
* Check out: Development Tools - Oracle Forms, Middleware - Applications Server - Oracle Fusion Middleware 11g and Middleware - Data Warehousing and Business Intelligence - Oracle Reports
Since you will be upgrading from Forms 6i to 11g, be sure to visit the Oracle Forms-Upgrading Forms 6i to Forms 11g documentation.
BTW, welcome to the forums!
Craig
If a response is helpful or correct, please mark it accordingly.
Edited by: CraigB on May 6, 2010 2:09 PM

How can I migrate everything from one account to another on same computer?

How can I migrate everything from one account to another on same computer?

Transferring files from one User Account to another

TS3981 After migration files are now shared between two user accounts. How can I combine them into one account?

After migration, from PC, files are now shared between two user accounts.I have to switch users to access files. How can I combine them into one account?

See Pondini's Transferring files from one User Account to another, for starters

PIX515 to ASA5510 8.4(5) migration

Similar Messages

Maybe you are looking for