Routing issue on ASA5505 site-to-site VPN
Dear All:
I have Cisco ASA5505 on both office. And it has connected fine for a few month. Today, user report no connection in between. After discover the VPN, I found the VPN session on both site still established. However, Site B (remote site) cannot access one of subnet on Site A (Local site).
Does any of you could advice what step should I take to discover the issue?
Thanks for any advise!
Wayne Ho
Hi Wayne,
The issue can be caused by multiple reasons.
To start troubleshooting I would suggest that you run a packet tracer on the ASA and see if the traffic is allowed in the packet tracer or not.
If you can post the configuration from your devices I can look into it and see if we are missing something or not.
Similar Messages
-
Site to Site VPN issues between PIX506 and ASA5505
Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
Corporate
PIX Version 6.3(5)
access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
ip address outside xxx.yyy.170.160 255.255.255.0
ip address inside 192.168.119.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set pfs group2
crypto map mymap 20 set peer aaa.bbb.175.218
crypto map mymap 20 set transform-set ESP-3DES-SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication w2k3
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup vpners address-pool ippool
vpngroup vpners dns-server 192.168.119.11
vpngroup vpners default-domain mydomain.local
vpngroup vpners split-tunnel split_tunnel
vpngroup vpners idle-time 1800
vpngroup vpners password ********
Remote Site
ASA Version 7.2(2)
interface Vlan1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.175.218 255.255.128.0
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xxx.yyy.170.160
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group xxx.yyy.170.160 type ipsec-l2l
tunnel-group xxx.yyy.170.160 ipsec-attributes
pre-shared-key *I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.
-
Routing Issue for Remote Access Clients over Site to Site VPN tunnels
I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?
Patrick, that was indeed true for a long time.
But now it is fixed in PIX and ASA version 7.x.
Please refer to this document for details:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Cisco ASA & Router Site to Site VPN up but not passing traffic
Dear all,
Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
Advance Thanks
ahossainASA#
ASA Version 8.2(1)
hostname Active
domain-name test.com
interface Ethernet0/0
description LAN/STATE Failover Interface
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http secure-server
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
control-plane
ASA Version 8.2(1)
hostname Active
domain-name test.com
interface Ethernet0/0
description LAN/STATE Failover Interface
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
==================================================================
Remote-Router#
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http secure-server
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
control-plane -
Site to site VPN re-connection issue
Hi I done site -to -site VPN between two UC 560 and I am able to make call too. Both site I am using DDNS FQDN. Now I am facing these problems,
1. When ever any of the site gone down , it is taking around 45 minute to get reconnect the VPN.
2. With in 2 minute Dialer interface is getting WAN IP address from service provider and it is updating with Dyndns also. But while checking crypto session details from my local UC I can see the peer address is not changing or showing none.
please help me to overcome this issue
I tested by restarting ROUTER-A UC560
Please find the status of remote site:
ROUTER-B#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.50.37.13 86.99.72.10 MM_NO_STATE 2004 ACTIVE (deleted)
ROUTER-B#sh crypto isa saIPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-A#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
ROUTER-B#sho crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Session status: UP-NO-IKE
Peer: 86.99.72.10 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.50.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 12452 drop 0 life (KB/Sec) 4477633/1050
Outbound: #pkts enc'ed 15625 drop 228 life (KB/Sec) 4477628/1050
ROUTER-A# sho crypto session det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access2
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: Dialer0
Session status: DOWN
Peer: port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 23 life (KB/Sec) 0/0
**** Here I can see the peer IP is 86.99.72.10, but address had been changed to 92.98.211.242 in ROUTER-A
Please see the debug crypto isakpm
ROUTER-A#debug crypto isakmp
Crypto ISAKMP debugging is on
ROUTER-A#terminal monitor
000103: Aug 6 18:40:48.083: ISAKMP:(0): SA request profile is (NULL)
000104: Aug 6 18:40:48.083: ISAKMP: Created a peer struct for , peer port 500
000105: Aug 6 18:40:48.083: ISAKMP: New peer created peer = 0x86682AAC peer_handle = 0x80000031
000106: Aug 6 18:40:48.083: ISAKMP: Locking peer struct 0x86682AAC, refcount 1 for isakmp_initiator
000107: Aug 6 18:40:48.083: ISAKMP: local port 500, remote port 500
000108: Aug 6 18:40:48.083: ISAKMP: set new node 0 to QM_IDLE
000109: Aug 6 18:40:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EBE04
000110: Aug 6 18:40:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000111: Aug 6 18:40:48.083: ISAKMP:(0):No pre-shared key with !
000112: Aug 6 18:40:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000113: Aug 6 18:40:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000114: Aug 6 18:40:48.083: ISAKMP: Unlocking peer struct 0x86682AAC for isadb_unlock_peer_delete_sa(), count 0
000115: Aug 6 18:40:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682AAC
000116: Aug 6 18:40:48.083: ISAKMP:(0):purging SA., sa=8B4EBE04, delme=8B4EBE04
000117: Aug 6 18:40:48.083: ISAKMP:(0):purging node 2113438140
000118: Aug 6 18:40:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000119: Aug 6 18:40:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000120: Aug 6 18:41:18.083: ISAKMP:(0): SA request profile is (NULL)
000121: Aug 6 18:41:18.083: ISAKMP: Created a peer struct for , peer port 500
000122: Aug 6 18:41:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000032
000123: Aug 6 18:41:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000124: Aug 6 18:41:18.083: ISAKMP: local port 500, remote port 500
000125: Aug 6 18:41:18.083: ISAKMP: set new node 0 to QM_IDLE
000126: Aug 6 18:41:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000127: Aug 6 18:41:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000128: Aug 6 18:41:18.083: ISAKMP:(0):No pre-shared key with !
000129: Aug 6 18:41:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000130: Aug 6 18:41:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000131: Aug 6 18:41:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000132: Aug 6 18:41:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000133: Aug 6 18:41:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000134: Aug 6 18:41:18.083: ISAKMP:(0):purging node 379490091
000135: Aug 6 18:41:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000136: Aug 6 18:41:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000137: Aug 6 18:42:48.083: ISAKMP:(0): SA request profile is (NULL)
000138: Aug 6 18:42:48.083: ISAKMP: Created a peer struct for , peer port 500
000139: Aug 6 18:42:48.083: ISAKMP: New peer created peer = 0x86691200 peer_handle = 0x80000033
000140: Aug 6 18:42:48.083: ISAKMP: Locking peer struct 0x86691200, refcount 1for isakmp_initiator
000141: Aug 6 18:42:48.083: ISAKMP: local port 500, remote port 500
000142: Aug 6 18:42:48.083: ISAKMP: set new node 0 to QM_IDLE
000143: Aug 6 18:42:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000144: Aug 6 18:42:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000145: Aug 6 18:42:48.083: ISAKMP:(0):No pre-shared key with !
000146: Aug 6 18:42:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000147: Aug 6 18:42:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000148: Aug 6 18:42:48.083: ISAKMP: Unlocking peer struct 0x86691200 for isadb_unlock_peer_delete_sa(), count 0
000149: Aug 6 18:42:48.083: ISAKMP: Deleting peer node by peer_reap for : 86691200
000150: Aug 6 18:42:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000151: Aug 6 18:42:48.083: ISAKMP:(0):purging node -309783810
000152: Aug 6 18:42:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000153: Aug 6 18:42:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000154: Aug 6 18:43:18.083: ISAKMP:(0): SA request profile is (NULL)
000155: Aug 6 18:43:18.083: ISAKMP: Created a peer struct for , peer port 500
000156: Aug 6 18:43:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000034
000157: Aug 6 18:43:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000158: Aug 6 18:43:18.083: ISAKMP: local port 500, remote port 500
000159: Aug 6 18:43:18.083: ISAKMP: set new node 0 to QM_IDLE
000160: Aug 6 18:43:18.083: ISAKMP:(0):insert sa successfully sa = 8B4AB780
000161: Aug 6 18:43:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000162: Aug 6 18:43:18.083: ISAKMP:(0):No pre-shared key with !
000163: Aug 6 18:43:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000164: Aug 6 18:43:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000165: Aug 6 18:43:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb _unlock_peer_delete_sa(), count 0
000166: Aug 6 18:43:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000167: Aug 6 18:43:18.083: ISAKMP:(0):purging SA., sa=8B4AB780, delme=8B4AB78 0
000168: Aug 6 18:43:18.083: ISAKMP:(0):purging node 461611358
000169: Aug 6 18:43:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000170: Aug 6 18:43:18.083: ISAKMP: Error while processing KMI message 0, erro r 2.
000171: Aug 6 18:44:48.083: ISAKMP:(0): SA request profile is (NULL)
000172: Aug 6 18:44:48.083: ISAKMP: Created a peer struct for , peer port 500
000173: Aug 6 18:44:48.083: ISAKMP: New peer created peer = 0x8B4A25C8 peer_handle = 0x80000035
000174: Aug 6 18:44:48.083: ISAKMP: Locking peer struct 0x8B4A25C8, refcount 1 for isakmp_initiator
000175: Aug 6 18:44:48.083: ISAKMP: local port 500, remote port 500
000176: Aug 6 18:44:48.083: ISAKMP: set new node 0 to QM_IDLE
000177: Aug 6 18:44:48.083: ISAKMP:(0):insert sa successfully sa = 8B4EC7E8
000178: Aug 6 18:44:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000179: Aug 6 18:44:48.083: ISAKMP:(0):No pre-shared key with !
000180: Aug 6 18:44:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000181: Aug 6 18:44:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000182: Aug 6 18:44:48.083: ISAKMP: Unlocking peer struct 0x8B4A25C8 for isadb_unlock_peer_delete_sa(), count 0
000183: Aug 6 18:44:48.083: ISAKMP: Deleting peer node by peer_reap for : 8B4A25C8
000184: Aug 6 18:44:48.083: ISAKMP:(0):purging SA., sa=8B4EC7E8, delme=8B4EC7E8
000185: Aug 6 18:44:48.083: ISAKMP:(0):purging node -1902909277
000186: Aug 6 18:44:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000187: Aug 6 18:44:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000188: Aug 6 18:45:18.083: ISAKMP:(0): SA request profile is (NULL)
000189: Aug 6 18:45:18.083: ISAKMP: Created a peer struct for , peer port 500
000190: Aug 6 18:45:18.083: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000036
000191: Aug 6 18:45:18.083: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for isakmp_initiator
000192: Aug 6 18:45:18.083: ISAKMP: local port 500, remote port 500
000193: Aug 6 18:45:18.083: ISAKMP: set new node 0 to QM_IDLE
000194: Aug 6 18:45:18.083: ISAKMP:(0):insert sa successfully sa = 86685DFC
000195: Aug 6 18:45:18.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000196: Aug 6 18:45:18.083: ISAKMP:(0):No pre-shared key with !
000197: Aug 6 18:45:18.083: ISAKMP:(0): No Cert or pre-shared address key.
000198: Aug 6 18:45:18.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000199: Aug 6 18:45:18.083: ISAKMP: Unlocking peer struct 0x8668106C for isadb_unlock_peer_delete_sa(), count 0
000200: Aug 6 18:45:18.083: ISAKMP: Deleting peer node by peer_reap for : 8668106C
000201: Aug 6 18:45:18.083: ISAKMP:(0):purging SA., sa=86685DFC, delme=86685DFC
000202: Aug 6 18:45:18.083: ISAKMP:(0):purging node 1093064733
000203: Aug 6 18:45:18.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000204: Aug 6 18:45:18.083: ISAKMP: Error while processing KMI message 0, error 2.
000205: Aug 6 18:46:48.083: ISAKMP:(0): SA request profile is (NULL)
000206: Aug 6 18:46:48.083: ISAKMP: Created a peer struct for , peer port 500
000207: Aug 6 18:46:48.083: ISAKMP: New peer created peer = 0x86682BE0 peer_handle = 0x80000037
000208: Aug 6 18:46:48.083: ISAKMP: Locking peer struct 0x86682BE0, refcount 1 for isakmp_initiator
000209: Aug 6 18:46:48.083: ISAKMP: local port 500, remote port 500
000210: Aug 6 18:46:48.083: ISAKMP: set new node 0 to QM_IDLE
000211: Aug 6 18:46:48.083: ISAKMP:(0):insert sa successfully sa = 866E1758
000212: Aug 6 18:46:48.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000213: Aug 6 18:46:48.083: ISAKMP:(0):No pre-shared key with !
000214: Aug 6 18:46:48.083: ISAKMP:(0): No Cert or pre-shared address key.
000215: Aug 6 18:46:48.083: ISAKMP:(0): construct_initial_message: Can not start Main mode
000216: Aug 6 18:46:48.083: ISAKMP: Unlocking peer struct 0x86682BE0 for isadb_unlock_peer_delete_sa(), count 0
000217: Aug 6 18:46:48.083: ISAKMP: Deleting peer node by peer_reap for : 86682BE0
000218: Aug 6 18:46:48.083: ISAKMP:(0):purging SA., sa=866E1758, delme=866E1758
000219: Aug 6 18:46:48.083: ISAKMP:(0):purging node -1521272284
000220: Aug 6 18:46:48.083: ISAKMP: Error while processing SA request: Failed to initialize SA
000221: Aug 6 18:46:48.083: ISAKMP: Error while processing KMI message 0, error 2.
000222: Aug 6 18:47:03.131: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (N) NEW SA
000223: Aug 6 18:47:03.131: ISAKMP: Created a peer struct for 2.50.37.13, peer port 500
000224: Aug 6 18:47:03.131: ISAKMP: New peer created peer = 0x8668106C peer_handle = 0x80000038
000225: Aug 6 18:47:03.131: ISAKMP: Locking peer struct 0x8668106C, refcount 1 for crypto_isakmp_process_block
000226: Aug 6 18:47:03.131: ISAKMP: local port 500, remote port 500
000227: Aug 6 18:47:03.131: ISAKMP:(0):insert sa successfully sa = 8B4C1924
000228: Aug 6 18:47:03.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000229: Aug 6 18:47:03.131: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000230: Aug 6 18:47:03.131: ISAKMP:(0): processing SA payload. message ID = 0
000231: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000232: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000233: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
000234: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000235: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000236: Aug 6 18:47:03.131: ISAKMP (0): vendor ID is NAT-T v7
000237: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000238: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000239: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v3
000240: Aug 6 18:47:03.131: ISAKMP:(0): processing vendor id payload
000241: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000242: Aug 6 18:47:03.131: ISAKMP:(0): vendor ID is NAT-T v2
000243: Aug 6 18:47:03.131: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000244: Aug 6 18:47:03.131: ISAKMP:(0): local preshared key found
000245: Aug 6 18:47:03.131: ISAKMP : Scanning profiles for xauth ... sdm-ike-profile-1
000246: Aug 6 18:47:03.131: ISAKMP:(0): Authentication by xauth preshared
000247: Aug 6 18:47:03.131: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000248: Aug 6 18:47:03.131: ISAKMP: encryption 3DES-CBC
000249: Aug 6 18:47:03.131: ISAKMP: hash SHA
000250: Aug 6 18:47:03.131: ISAKMP: default group 2
000251: Aug 6 18:47:03.131: ISAKMP: auth pre-share
000252: Aug 6 18:47:03.131: ISAKMP: life type in seconds
000253: Aug 6 18:47:03.131: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000254: Aug 6 18:47:03.135: ISAKMP:(0):atts are acceptable. Next payload is 0
000255: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:actual life: 1800
000256: Aug 6 18:47:03.135: ISAKMP:(0):Acceptable atts:life: 0
000257: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa vpi_length:4
000258: Aug 6 18:47:03.135: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000259: Aug 6 18:47:03.135: ISAKMP:(0):Returning Actual lifetime: 1800
000260: Aug 6 18:47:03.135: ISAKMP:(0)::Started lifetime timer: 1800.
000261: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000262: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
000263: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T RFC 3947
000264: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000265: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
000266: Aug 6 18:47:03.135: ISAKMP (0): vendor ID is NAT-T v7
000267: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000268: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
000269: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v3
000270: Aug 6 18:47:03.135: ISAKMP:(0): processing vendor id payload
000271: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000272: Aug 6 18:47:03.135: ISAKMP:(0): vendor ID is NAT-T v2
000273: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000274: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000275: Aug 6 18:47:03.135: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000276: Aug 6 18:47:03.135: ISAKMP:(0): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_SA_SETUP
000277: Aug 6 18:47:03.135: ISAKMP:(0):Sending an IKE IPv4 Packet.
000278: Aug 6 18:47:03.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000279: Aug 6 18:47:03.135: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000280: Aug 6 18:47:03.191: ISAKMP (0): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_SA_SETUP
000281: Aug 6 18:47:03.191: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000282: Aug 6 18:47:03.191: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
000283: Aug 6 18:47:03.191: ISAKMP:(0): processing KE payload. message ID = 0
000284: Aug 6 18:47:03.199: ISAKMP:(0): processing NONCE payload. message ID = 0
000285: Aug 6 18:47:03.203: ISAKMP:(0):found peer pre-shared key matching 2.50.37.13
000286: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000287: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is DPD
000288: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000289: Aug 6 18:47:03.203: ISAKMP:(2001): speaking to another IOS box!
000290: Aug 6 18:47:03.203: ISAKMP:(2001): processing vendor id payload
000291: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID seems Unity/DPD but major 223 mismatch
000292: Aug 6 18:47:03.203: ISAKMP:(2001): vendor ID is XAUTH
000293: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000294: Aug 6 18:47:03.203: ISAKMP (2001): His hash no match - this node outside NAT
000295: Aug 6 18:47:03.203: ISAKMP:received payload type 20
000296: Aug 6 18:47:03.203: ISAKMP (2001): No NAT Found for self or peer
000297: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000298: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM3
000299: Aug 6 18:47:03.203: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000300: Aug 6 18:47:03.203: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000301: Aug 6 18:47:03.203: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000302: Aug 6 18:47:03.203: ISAKMP:(2001):Old State = IKE_R_MM3 New State = IKE_R_MM4
000303: Aug 6 18:47:03.295: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) MM_KEY_EXCH
000304: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000305: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM4 New State = IKE_R_MM5
000306: Aug 6 18:47:03.295: ISAKMP:(2001): processing ID payload. message ID = 0
000307: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 2.50.37.13
protocol : 17
port : 500
length : 12
000308: Aug 6 18:47:03.295: ISAKMP:(0):: peer matches *none* of the profiles
000309: Aug 6 18:47:03.295: ISAKMP:(2001): processing HASH payload. message ID = 0
000310: Aug 6 18:47:03.295: ISAKMP:(2001): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x8B4C1924
000311: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000312: Aug 6 18:47:03.295: ISAKMP:(2001):SA has been authenticated with 2.50.37.13
000313: Aug 6 18:47:03.295: ISAKMP:(2001):SA authentication status:
authenticated
000314: Aug 6 18:47:03.295: ISAKMP:(2001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 92.98.211.242 remote 2.50.37.13 remote port 500
000315: Aug 6 18:47:03.295: ISAKMP: Trying to insert a peer 92.98.211.242/2.50.37.13/500/, and inserted successfully 8668106C.
000316: Aug 6 18:47:03.295: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000317: Aug 6 18:47:03.295: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_R_MM5
000318: Aug 6 18:47:03.295: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000319: Aug 6 18:47:03.295: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address : 92.98.211.242
protocol : 17
port : 500
length : 12
000320: Aug 6 18:47:03.295: ISAKMP:(2001):Total payload length: 12
000321: Aug 6 18:47:03.295: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000322: Aug 6 18:47:03.295: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000323: Aug 6 18:47:03.295: ISAKMP:(2001):Returning Actual lifetime: 1800
000324: Aug 6 18:47:03.299: ISAKMP: set new node -1235582904 to QM_IDLE
000325: Aug 6 18:47:03.299: ISAKMP:(2001):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 2291695856, message ID = 3059384392
000326: Aug 6 18:47:03.299: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000327: Aug 6 18:47:03.299: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000328: Aug 6 18:47:03.299: ISAKMP:(2001):purging node -1235582904
000329: Aug 6 18:47:03.299: ISAKMP: Sending phase 1 responder lifetime 1800
000330: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000331: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000332: Aug 6 18:47:03.299: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000333: Aug 6 18:47:03.299: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000334: Aug 6 18:47:03.307: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000335: Aug 6 18:47:03.307: ISAKMP: set new node -687536412 to QM_IDLE
000336: Aug 6 18:47:03.307: ISAKMP:(2001): processing HASH payload. message ID = 3607430884
000337: Aug 6 18:47:03.307: ISAKMP:(2001): processing SA payload. message ID = 3607430884
000338: Aug 6 18:47:03.307: ISAKMP:(2001):Checking IPSec proposal 1
000339: Aug 6 18:47:03.307: ISAKMP: transform 1, ESP_3DES
000340: Aug 6 18:47:03.307: ISAKMP: attributes in transform:
000341: Aug 6 18:47:03.307: ISAKMP: encaps is 1 (Tunnel)
000342: Aug 6 18:47:03.307: ISAKMP: SA life type in seconds
000343: Aug 6 18:47:03.307: ISAKMP: SA life duration (basic) of 3600
000344: Aug 6 18:47:03.307: ISAKMP: SA life type in kilobytes
000345: Aug 6 18:47:03.307: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
000346: Aug 6 18:47:03.307: ISAKMP: authenticator is HMAC-SHA
000347: Aug 6 18:47:03.307: ISAKMP:(2001):atts are acceptable.
000348: Aug 6 18:47:03.307: ISAKMP:(2001): processing NONCE payload. message ID = 3607430884
000349: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000350: Aug 6 18:47:03.311: ISAKMP:(2001): processing ID payload. message ID = 3607430884
000351: Aug 6 18:47:03.311: ISAKMP:(2001):QM Responder gets spi
000352: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000353: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
000354: Aug 6 18:47:03.311: ISAKMP:(2001): Creating IPSec SAs
000355: Aug 6 18:47:03.311: inbound SA from 2.50.37.13 to 92.98.211.242 (f/i) 0/ 0
(proxy 192.168.10.0 to 192.168.50.0)
000356: Aug 6 18:47:03.311: has spi 0x4C5A127C and conn_id 0
000357: Aug 6 18:47:03.311: lifetime of 3600 seconds
000358: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000359: Aug 6 18:47:03.311: outbound SA from 92.98.211.242 to 2.50.37.13 (f/i) 0/0
(proxy 192.168.50.0 to 192.168.10.0)
000360: Aug 6 18:47:03.311: has spi 0x1E83EC91 and conn_id 0
000361: Aug 6 18:47:03.311: lifetime of 3600 seconds
000362: Aug 6 18:47:03.311: lifetime of 4608000 kilobytes
000363: Aug 6 18:47:03.311: ISAKMP:(2001): sending packet to 2.50.37.13 my_port 500 peer_port 500 (R) QM_IDLE
000364: Aug 6 18:47:03.311: ISAKMP:(2001):Sending an IKE IPv4 Packet.
000365: Aug 6 18:47:03.311: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
000366: Aug 6 18:47:03.311: ISAKMP:(2001):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
000367: Aug 6 18:47:03.323: ISAKMP (2001): received packet from 2.50.37.13 dport 500 sport 500 Global (R) QM_IDLE
000368: Aug 6 18:47:03.323: ISAKMP:(2001):deleting node -687536412 error FALSE reason "QM done (await)"
000369: Aug 6 18:47:03.323: ISAKMP:(2001):Node 3607430884, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000370: Aug 6 18:47:03.323: ISAKMP:(2001):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
000371: Aug 6 18:47:53.323: ISAKMP:(2001):purging node -687536412
ROUTER-A# sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
92.98.211.242 2.50.37.13 QM_IDLE 2001 ACTIVE
RUNNING CONFIGURATION OF ROUTER-A
Building configuration...
Current configuration : 29089 bytes
! Last configuration change at 21:31:11 PST Tue Aug 7 2012 by administrator
version 15.1
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
hostname xxxxxxxxxxXX
boot-start-marker
boot-end-marker
enable secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
aaa new-model
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa session-id common
clock timezone ZP4 4 0
clock summer-time PST recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4070447007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4070447007
revocation-check none
rsakeypair TP-self-signed-4070447007
crypto pki certificate chain TP-self-signed-4070447007
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303730 34343730 3037301E 170D3132 30373331 30353139
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373034
34373030 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BBA6 F2C9A163 B7EAB25D 6C538A5B 29832F58 6B95D2C0 1FBE0E72 BD4E9585
6230CAD1 8DA4E337 5A11332C 36EAFF86 02D8C977 6CD2AA50 D76FB97F 52AE73AD
E777194B 011C95EB E2A588B4 3A7D618E F1D03E3F EF1A60FB 26372B63 9395002D
38126CC5 EA79E23C 40E0F331 76E7731E D03E2CE8 F1A0B5E9 B83AA780 D566A679
599F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C8BC47 90602FB0 18A8821A 85A3444F 874E2292 27301D06
03551D0E 04160414 C8BC4790 602FB018 A8821A85 A3444F87 4E229227 300D0609
2A864886 F70D0101 05050003 8181001B D0EA74FE 7EDD03FE 68733D87 6434D20B
80481807 DD4A488E FFEFA631 245F396F 5CADF523 1438A70B CA113994 9798483D
F59221EA 09EDB8FC 6D1DBBAE FE7FE4B9 E79F064F E930F347 B1CAD19B 01F5989A
8BCFDB1D 906163A4 C467E809 E988B610 FE613177 A815DFB0 97839F92 4A682E8F
43F08787 E08CBE70 E98DEBE7 BCD8B8
quit
dot11 syslog
ip source-route
ip cef
ip dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1 10.1.1.9
ip dhcp excluded-address 10.1.1.241 10.1.1.255
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.241 192.168.50.255
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
import all
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
ip ddns update method sdm_ddns1
HTTP
add http://xxxxxxxs:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxxx:[email protected]/nic/update?system=dyndns&[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 2 0 0 0
interval minimum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
stcapp ccm-group 1
stcapp
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
voice call send-alert
voice rtp send-recv
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12
sip
no update-callerid
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
voice class h323 1
call start slow
voice class cause-code 1
no-circuit
voice register global
mode cme
source-address 10.1.1.1 port 5060
load 9971 sip9971.9-2-2
load 9951 sip9951.9-2-2
load 8961 sip8961.9-2-2
voice translation-rule 1000
rule 1 /.*/ //
voice translation-rule 1112
rule 1 /^9/ //
voice translation-rule 1113
rule 1 /^82\(...\)/ /\1/
voice translation-rule 1114
rule 1 /\(^...$\)/ /82\1/
voice translation-rule 2002
rule 1 /^6/ //
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
translate calling 1111
voice translation-profile CallBlocking
translate called 2222
voice translation-profile OUTGOING_TRANSLATION_PROFILE
translate called 1112
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
voice translation-profile multisiteInbound
translate called 1113
voice translation-profile multisiteOutbound
translate calling 1114
voice translation-profile nondialable
translate called 1000
voice-card 0
dspfarm
dsp services dspfarm
fax interface-type fax-mail
license udi pid UC560-FXO-K9 sn FHK1445F43M
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 4 LcV6aBcc/53FoCJjXQMd7rBUDEpeevrK8V5jQVoJEhU
username pingerID password 7 06505D771B185F
ip tftp source-interface Vlan90
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 1800
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group EZVPN_GROUP_1
key xxxxxxx
dns 213.42.20.20
pool SDM_POOL_1
save-password
max-users 20
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
crypto map multisite 1 ipsec-isakmp
description XXXXXXX
set peer xxxxxxxxxx.dyndns.biz dynamic
set transform-set ESP-3DES-SHA
match address 105
qos pre-classify
interface GigabitEthernet0/0
description $ETH-WAN$
no ip address
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Integrated-Service-Engine0/0
description Interface used to manage integrated application modulecue is initialized with default IMAP group
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly in
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface GigabitEthernet0/1/0
switchport mode trunk
switchport voice vlan 100
no ip address
macro description cisco-switch
interface GigabitEthernet0/1/1
switchport voice vlan 100
no ip address
macro description cisco-phone
spanning-tree portfast
interface GigabitEthernet0/1/2
no ip address
macro description cisco-desktop
spanning-tree portfast
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
no ip address
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
h323-gateway voip bind srcaddr 192.168.50.1
interface Vlan90
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip ddns update hostname xxxxxxxxxx.dyndns.biz
ip ddns update sdm_ddns1
ip address negotiated
ip access-group 104 in
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname CCCCCC
ppp chap password 7 071739545611015445
ppp pap sent-username CCCCC password 7 122356324SDFDBDB
ppp ipcp dns request
ppp ipcp route default
crypto map multisite
ip local pool SDM_POOL_1 192.168.50.150 192.168.50.160
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Vlan90
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_5##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 192.168.50.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.50.1 eq isakmp
access-list 101 permit esp any host 192.168.50.1
access-list 101 permit ahp any host 192.168.50.1
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 101 permit ip 10.1.10.0 0.0.0.3 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 102 permit udp any host 10.1.1.1 eq isakmp
access-list 102 permit esp any host 10.1.1.1
access-list 102 permit ahp any host 10.1.1.1
access-list 102 permit ip any any
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 10.1.10.0 0.0.0.3 any
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 103 permit udp any host 10.1.10.2 eq isakmp
access-list 103 permit esp any host 10.1.10.2
access-list 103 permit ahp any host 10.1.10.2
access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 10.1.1.0 0.0.0.255 any
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit ip any any
access-list 104 permit ip 192.168.50.0 0.0.0.255 any
access-list 104 permit ip 10.1.10.0 0.0.0.3 any
access-list 104 permit ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit ip 10.0.0.0 0.255.255.255 any
access-list 104 permit ip 172.16.0.0 0.15.255.255 any
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip host 255.255.255.255 any
access-list 104 permit ip host 0.0.0.0 any
access-list 105 remark CryptoACL for xxxxxxxxxx
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.50.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 106
snmp-server community public RO
tftp-server flash:/phones/521_524/cp524g-8-1-17.bin alias cp524g-8-1-17.bin
tftp-server flash:/ringtones/Analog1.raw alias Analog1.raw
tftp-server flash:/ringtones/Analog2.raw alias Analog2.raw
tftp-server flash:/ringtones/AreYouThere.raw alias AreYouThere.raw
tftp-server flash:/ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xml
tftp-server flash:/ringtones/RingList.xml alias RingList.xml
tftp-server flash:/ringtones/AreYouThereF.raw alias AreYouThereF.raw
tftp-server flash:/ringtones/Bass.raw alias Bass.raw
tftp-server flash:/ringtones/CallBack.raw alias CallBack.raw
tftp-server flash:/ringtones/Chime.raw alias Chime.raw
tftp-server flash:/ringtones/Classic1.raw alias Classic1.raw
tftp-server flash:/ringtones/Classic2.raw alias Classic2.raw
tftp-server flash:/ringtones/ClockShop.raw alias ClockShop.raw
tftp-server flash:/ringtones/Drums1.raw alias Drums1.raw
tftp-server flash:/ringtones/Drums2.raw alias Drums2.raw
tftp-server flash:/ringtones/FilmScore.raw alias FilmScore.raw
tftp-server flash:/ringtones/HarpSynth.raw alias HarpSynth.raw
tftp-server flash:/ringtones/Jamaica.raw alias Jamaica.raw
tftp-server flash:/ringtones/KotoEffect.raw alias KotoEffect.raw
tftp-server flash:/ringtones/MusicBox.raw alias MusicBox.raw
tftp-server flash:/ringtones/Piano1.raw alias Piano1.raw
tftp-server flash:/ringtones/Piano2.raw alias Piano2.raw
tftp-server flash:/ringtones/Pop.raw alias Pop.raw
tftp-server flash:/ringtones/Pulse1.raw alias Pulse1.raw
tftp-server flash:/ringtones/Ring1.raw alias Ring1.raw
tftp-server flash:/ringtones/Ring2.raw alias Ring2.raw
tftp-server flash:/ringtones/Ring3.raw alias Ring3.raw
tftp-server flash:/ringtones/Ring4.raw alias Ring4.raw
tftp-server flash:/ringtones/Ring5.raw alias Ring5.raw
tftp-server flash:/ringtones/Ring6.raw alias Ring6.raw
tftp-server flash:/ringtones/Ring7.raw alias Ring7.raw
tftp-server flash:/ringtones/Sax1.raw alias Sax1.raw
tftp-server flash:/ringtones/Sax2.raw alias Sax2.raw
tftp-server flash:/ringtones/Vibe.raw alias Vibe.raw
tftp-server flash:/Desktops/CampusNight.png
tftp-server flash:/Desktops/TN-CampusNight.png
tftp-server flash:/Desktops/CiscoFountain.png
tftp-server flash:/Desktops/TN-CiscoFountain.png
tftp-server flash:/Desktops/CiscoLogo.png
tftp-server flash:/Desktops/TN-CiscoLogo.png
tftp-server flash:/Desktops/Fountain.png
tftp-server flash:/Desktops/TN-Fountain.png
tftp-server flash:/Desktops/MorroRock.png
tftp-server flash:/Desktops/TN-MorroRock.png
tftp-server flash:/Desktops/NantucketFlowers.png
tftp-server flash:/Desktops/TN-NantucketFlowers.png
tftp-server flash:Desktops/320x212x16/List.xml
tftp-server flash:Desktops/320x212x12/List.xml
tftp-server flash:Desktops/320x216x16/List.xml
tftp-server flash:/bacdprompts/en_bacd_allagentsbusy.au alias en_bacd_allagentsbusy.au
tftp-server flash:/bacdprompts/en_bacd_disconnect.au alias en_bacd_disconnect.au
tftp-server flash:/bacdprompts/en_bacd_enter_dest.au alias en_bacd_enter_dest.au
tftp-server flash:/bacdprompts/en_bacd_invalidoption.au alias en_bacd_invalidoption.au
tftp-server flash:/bacdprompts/en_bacd_music_on_hold.au alias en_bacd_music_on_hold.au
tftp-server flash:/bacdprompts/en_bacd_options_menu.au alias en_bacd_options_menu.au
tftp-server flash:/bacdprompts/en_bacd_welcome.au alias en_bacd_welcome.au
tftp-server flash:/bacdprompts/en_bacd_xferto_operator.au alias en_bacd_xferto_operator.au
radius-server attribute 31 send nas-port-detail
control-plane
voice-port 0/0/0
station-id number 401
caller-id enable
voice-port 0/0/1
station-id number 402
caller-id enable
voice-port 0/0/2
station-id number 403
caller-id enable
voice-port 0/0/3
station-id number 404
caller-id enable
voice-port 0/1/0
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/0-OP
caller-id enable
voice-port 0/1/1
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/1-OP
caller-id enable
voice-port 0/1/2
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/2-OP
caller-id enable
voice-port 0/1/3
trunk-group ALL_FXO 64
connection plar opx 201
description Configured by CCA 4 FXO-0/1/3-OP
caller-id enable
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
sccp local Vlan90
sccp ccm 10.1.1.1 identifier 1 version 4.0
sccp
sccp ccm group 1
associate ccm 1 priority 1
associate profile 2 register mtpd0d0fd057a40
dspfarm profile 2 transcode
description CCA transcoding for SIP Trunk Multisite Only
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 10
associate application SCCP
dial-peer cor custom
name internal
name local
name local-plus
name international
name national
name national-plus
name emergency
name toll-free
dial-peer cor list call-internal
member internal
dial-peer cor list call-local
member local
dial-peer cor list call-local-plus
member local-plus
dial-peer cor list call-national
member national
dial-peer cor list call-national-plus
member national-plus
dial-peer cor list call-international
member international
dial-peer cor list call-emergency
member emergency
dial-peer cor list call-toll-free
member toll-free
dial-peer cor list user-internal
member internal
member emergency
dial-peer cor list user-local
member internal
member local
member emergency
member toll-free
dial-peer cor list user-local-plus
member internal
member local
member local-plus
member emergency
member toll-free
dial-peer cor list user-national
member internal
member local
member local-plus
member national
member emergency
member toll-free
dial-peer cor list user-national-plus
member internal
member local
member local-plus
member national
member national-plus
member emergency
member toll-free
dial-peer cor list user-international
member internal
member local
member local-plus
member international
member national
member national-plus
member emergency
member toll-free
dial-peer voice 1 pots
destination-pattern 401
port 0/0/0
no sip-register
dial-peer voice 2 pots
destination-pattern 402
port 0/0/1
no sip-register
dial-peer voice 3 pots
destination-pattern 403
port 0/0/2
no sip-register
dial-peer voice 4 pots
destination-pattern 404
port 0/0/3
no sip-register
dial-peer voice 5 pots
description ** MOH Port **
destination-pattern ABC
port 0/4/0
no sip-register
dial-peer voice 6 pots
description ôcatch all dial peer for BRI/PRIö
translation-profile incoming nondialable
incoming called-number .%
direct-inward-dial
dial-peer voice 50 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/0
dial-peer voice 51 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/1
dial-peer voice 52 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/2
dial-peer voice 53 pots
description ** incoming dial peer **
incoming called-number .%
port 0/1/3
dial-peer voice 54 pots
description ** FXO pots dial-peer **
destination-pattern A0
port 0/1/0
no sip-register
dial-peer voice 55 pots
description ** FXO pots dial-peer **
destination-pattern A1
port 0/1/1
no sip-register
dial-peer voice 56 pots
description ** FXO pots dial-peer **
destination-pattern A2
port 0/1/2
no sip-register
dial-peer voice 57 pots
description ** FXO pots dial-peer **
destination-pattern A3
port 0/1/3
no sip-register
dial-peer voice 2000 voip
description ** cue voicemail pilot number **
translation-profile outgoing XFER_TO_VM_PROFILE
destination-pattern 399
b2bua
session protocol sipv2
session target ipv4:10.1.10.1
voice-class sip outbound-proxy ipv4:10.1.10.1
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 58 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9911
forward-digits all
no sip-register
dial-peer voice 59 pots
trunkgroup ALL_FXO
corlist outgoing call-emergency
description **CCA*North American-7-Digit*Emergency**
preference 5
destination-pattern 911
forward-digits all
no sip-register
dial-peer voice 60 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*7-Digit Local**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]......
forward-digits all
no sip-register
dial-peer voice 61 pots
trunkgroup ALL_FXO
corlist outgoing call-local
description **CCA*North American-7-Digit*Service Numbers**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9[2-9]11
forward-digits all
no sip-register
dial-peer voice 62 pots
trunkgroup ALL_FXO
corlist outgoing call-national
description **CCA*North American-7-Digit*Long Distance**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91[2-9]..[2-9]......
forward-digits all
no sip-register
dial-peer voice 63 pots
trunkgroup ALL_FXO
corlist outgoing call-international
description **CCA*North American-7-Digit*International**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 9011T
forward-digits all
no sip-register
dial-peer voice 64 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91800.......
forward-digits all
no sip-register
dial-peer voice 65 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91888.......
forward-digits all
no sip-register
dial-peer voice 66 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91877.......
forward-digits all
no sip-register
dial-peer voice 67 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91866.......
forward-digits all
no sip-register
dial-peer voice 68 pots
trunkgroup ALL_FXO
corlist outgoing call-toll-free
description **CCA*North American-7-Digit*Toll-Free**
translation-profile outgoing OUTGOING_TRANSLATION_PROFILE
preference 5
destination-pattern 91855.......
forward-digits all
no sip-register
dial-peer voice 2100 voip
corlist incoming call-internal
description **CCA*INTERSITE inbound call to xxxxxxxxxx
translation-profile incoming multisiteInbound
incoming called-number 82...
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
dial-peer voice 2101 voip
corlist incoming call-internal
description **CCA*INTERSITE outbound calls to xxxxxxxxxx
translation-profile outgoing multisiteOutbound
destination-pattern 81...
session target ipv4:192.168.10.1
voice-class h323 1
dtmf-relay h245-alphanumeric
fax protocol cisco
no vad
no dial-peer outbound status-check pots
telephony-service
sdspfarm units 5
sdspfarm transcode sessions 10
sdspfarm tag 2 mtpd0d0fd057a40
video
fxo hook-flash
max-ephones 138
max-dn 600
ip source-address 10.1.1.1 port 2000
auto assign 1 to 1 type bri
calling-number initiator
service phone videoCapability 1
service phone ehookenable 1
service dnis overlay
service dnis dir-lookup
service dss
timeouts interdigit 5
system message Cisco Small Business
url services http://10.1.10.1/voiceview/common/login.do
url authentication http://10.1.10.1/voiceview/authentication/authenticateOn 12/01/12 12:06, JebediahShapnacker wrote:
>
> Hello.
>
> I would like to setup a site to site VPN between 2 of our site. We have
> Bordermanager .7 on one end and IPCop on the other.
i'm not familiar with Bordermanager version but be sure you're using 3.9
with sp2 and sp2_it1 applied.
There are not specific documents that i'm aware that explains conf
between ipcop and bm but if ipcop behaves as standard ipsec device, you
can use as a guideline some of the docs that explains how to configure
bm with third party firewalls.
- AppNote: CISCO IOS 12.2(11) T with NBM 3.8 Server
Novell Cool Solutions: AppNote
By Upendra Gopu
- BorderManager and Novell Security Manager Site-to-Site VPN
Novell Cool Solutions: Feature
By Jenn Bitondo
- Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
Author Info
8 November 2006 - 7:37pm
Submitted by: kchendil
- AppNote: NBM to Openswan: Site-to-site VPN Made Easy
Novell Cool Solutions: AppNote
By Gaurav Vaidya
- AppNote: Interoperability of Cisco PIX 500 and NBM 3.8 VPN
Novell Cool Solutions: AppNote
By Sreekanth Settipalli
Digg This - Slashdot This
Posted: 28 Oct 2004
etc -
One router on ASA 5505 Site to Site VPN can't ping other router
I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname SaskASA
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.16.0_23
subnet 192.168.16.0 255.255.254.0
object network NETWORK_OBJ_192.168.2.0_23
subnet 192.168.2.0 255.255.254.0
access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 192.168.16.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.16.100-192.168.16.200 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_207.228.xx.xxinternal
group-policy GroupPolicy_207.228.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
username User password shbn5zbLkuHP/mJX encrypted privilege 15
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxgeneral-attributes
default-group-policy GroupPolicy_207.228.xx.xx
tunnel-group 207.228.xx.xxipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f06bd1d6d063318339d98417b171175e
: end
Any ideas? Thanks.I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(1)
hostname SiteA
domain-name domain
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.6
domain-name domain
object-group network DM_INLINE_NETWORK_1
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.12.0 255.255.254.0
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
access-list VPNGeo_splitTunnelAcl standard permit any
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 192.168.2.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 208.119.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 208.119.xx.xx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 208.119.xx.xx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 70.64.xx.xx
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 inside
dhcpd auto_config outside interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGeo internal
group-policy VPNGeo attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGeo_splitTunnelAcl
username user password shbn5zbLkuHP/mJX encrypted privilege 15
username namepassword vP98Lj8Vm5SLs9PW encrypted
username nameattributes
vpn-group-policy VPNGeo
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxipsec-attributes
pre-shared-key *
tunnel-group VPNGeo type remote-access
tunnel-group VPNGeo general-attributes
address-pool GeoVPNPool
default-group-policy VPNGeo
tunnel-group VPNGeo ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xx type ipsec-l2l
tunnel-group 208.119.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 70.64.xx.xxtype ipsec-l2l
tunnel-group 70.64.xx.xxipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
: end -
Site-to-site vpn with 2 asa and home router
I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enableI am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enable -
Site-to-Site VPN btw Pix535 and Router 2811, can't get it work
Hi, every one, I spent couple of days trying to make a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: PIX config:
: Saved
: Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
PIX Version 8.0(4)
hostname pix535
interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address X.X.138.132 255.255.255.0
ospf cost 10
interface GigabitEthernet1
description inside 10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
global (outside) 10 interface
global (outside) 15 1.2.4.5
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 15 10.1.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
group-policy GroupPolicy1 internal
group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value x.com
username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key secret1
radius-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip
default-group-policy cnf-vpn-cls
tunnel-group cnf-vpn-cls ipsec-attributes
pre-shared-key secret2
isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: Router 2811 config:
! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname LA-2800
crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411740556
revocation-check none
rsakeypair TP-self-signed-1411740556
crypto pki certificate chain TP-self-signed-1411740556
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
quit
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SECRET address X.X.138.132 no-xauth
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
interface FastEthernet0/0
description WAN Side
ip address X.X.216.29 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map la-2800-ipsec-policy
interface FastEthernet0/1
description LAN Side
ip address 10.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 permit 64.236.96.53
access-list 99 permit 98.82.1.202
access-list 101 remark vpn tunnerl acl
access-list 101 remark SDM_ACL Category=4
access-list 101 remark tunnel policy
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
webvpn gateway gateway_1
ip address X.X.216.29 port 443
ssl trustpoint TP-self-signed-1411740556
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context gateway-1
title "b"
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN-Pool"
svc keep-client-installed
svc split include 10.20.0.0 255.255.0.0
default-group-policy policy_1
gateway gateway_1
inservice
end
#3: Test from Pix to router:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.21.29
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
>>DEBUG:
Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
#4: test from router to pix:
LA-2800#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 0 ACTIVE
>>debug
LA-2800#ping 10.1.1.7 source 10.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
Packet sent with a source address of 10.20.1.1
Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE
Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Oct 22 16:24:34.053: ISAKMP: encryption DES-CBC
Oct 22 16:24:34.053: ISAKMP: hash SHA
Oct 22 16:24:34.053: ISAKMP: default group 1
Oct 22 16:24:34.053: ISAKMP: auth pre-share
Oct 22 16:24:34.053: ISAKMP: life type in seconds
Oct 22 16:24:34.053: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : X.X.216.29
protocol : 17
port : 500
length : 12
Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
Success rate is 0 percent (0/5)
LA-2800#
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE
Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
****** The PIX is also used VPN client access , such as Cicso VPN client 5.0, working fine ; Router is used as SSL VPN server, working too
I know there are lots of data here, hopefully these data may be useful for diagnosis purpose.
Any suggestions and advices are greatly appreciated.
SeanHi Sean,
Current configuration:
On the PIX:
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
On the Router:
crypto isakmp policy 1
authentication pre-share
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto isakmp key SECRET address X.X.138.132 no-xauth
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
Site to Site VPN between ASA 5505 and Cisco 800 router
Evening all,
Hoping that someboy can see the error of my ways. It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300
We have a cisco 800 in a remote site which we wanted to use for a site to site vpn. Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected. Getting traffic through it is another matter. Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192....... Both the ASA and 800 report the tunnel is up. If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back. I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA. Here is the config from the 800:
Building configuration...
Current configuration : 6488 bytes
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname hhp-sty-backup
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local
aaa session-id common
crypto pki trustpoint TP-self-signed-1347488939
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1347488939
revocation-check none
rsakeypair TP-self-signed-1347488939
crypto pki certificate chain TP-self-signed-1347488939
certificate self-signed 02
30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734
38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7
0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513
D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046
4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA
8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61
696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A
0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F
5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7
789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432
66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6
C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF
447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp pool inside
ip dhcp pool lan_network
network 172.20.224.0 255.255.240.0
dns-server 8.8.8.8 8.8.4.4
default-router 172.20.224.1
lease 7
ip cef
no ip domain lookup
ip domain name yourdomain.com
password encryption aes
username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1
username admin privilege 15 password 0 434Zaty
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 217.36.32.222
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.36.32.222
set peer 217.36.32.222
set transform-set ESP-3DES-SHA
match address 100
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.20.224.1 255.255.240.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B6*******.btclick.com
ppp chap password 0 H*******
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 172.4.0.0 0.240.255.255
access-list 10 permit 195.12.1.35
access-list 10 permit 172.4.0.0 0.240.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 permit ip 172.4.0.0 0.240.255.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
password 434Zaty
transport input telnet ssh
scheduler max-task-time 5000
end
Any help will be most gratefully recieved.Rick,
Thanks for replying. Here is the output from the 800 Show Crypto command:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and this is the running config frm our ASA at HQ:
Result of the command: "sh run"
: Saved
ASA Version 8.2(1)
hostname secure-access
domain-name hhp.com
enable password UWWykvGjAPmxufUo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BT
ip address 217.36.32.222 255.255.255.255 pppoe
interface Vlan12
nameif DMZ
security-level 50
ip address 192.168.169.1 255.255.255.0
interface Vlan22
nameif Wireless_HHP
security-level 100
ip address 172.16.36.1 255.255.254.0
interface Vlan32
nameif CNES
security-level 100
ip address 187.187.168.1 255.255.0.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 12
interface Ethernet0/3
switchport access vlan 22
interface Ethernet0/4
switchport access vlan 32
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
switchport access vlan 12
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns domain-lookup Wireless_HHP
dns domain-lookup CNES
dns server-group DefaultDNS
name-server 192.168.168.2
domain-name hhp.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network NET-cnes_HHP-Sty
network-object 172.20.224.0 255.255.240.0
object-group network NET-cnes_HHP-Balivanich
network-object 172.20.192.0 255.255.240.0
object-group network Oak-DC1
network-object 192.168.168.2 255.255.255.255
object-group network Maple-DC2
network-object 192.168.168.3 255.255.255.255
object-group network HHP_Domain_Controllers
group-object Oak-DC1
group-object Maple-DC2
object-group network PC-Support
network-object 187.187.60.1 255.255.255.255
network-object 187.187.60.2 255.255.255.254
network-object 187.187.60.4 255.255.255.254
network-object 187.187.60.6 255.255.255.255
object-group network ELM-ActiveH
network-object 192.168.168.6 255.255.255.255
object-group network Pine-GP
network-object 192.168.168.12 255.255.255.255
object-group network HHP_Application_Servers
group-object ELM-ActiveH
group-object Pine-GP
object-group network Fern-TS1
network-object 192.168.168.4 255.255.255.255
object-group network Fir-TS2
network-object 192.168.168.5 255.255.255.255
object-group network HHP_Terminal_Servers
group-object Fern-TS1
group-object Fir-TS2
object-group service Global_Catalog_LDAP
description (Generated by Cisco SM from Object "Global Catalog LDAP")
service-object tcp eq 3268
object-group service Global_Catalog_LDAP_SSL
description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
service-object tcp eq 3269
object-group service UDP-389
description UDP port for LDAP
service-object udp eq 389
object-group service TCP-88
description TCP Port 88
service-object tcp eq 88
object-group service TCP-445
description SMB
service-object tcp eq 445
object-group network John_-_Laptop
description John's Laptop
network-object 187.187.10.65 255.255.255.255
object-group network Graham_-_PC
description Graham Morrison's PC
network-object 187.187.10.90 255.255.255.255
object-group network john_test
network-object 187.187.40.7 255.255.255.255
object-group network Iain_PC
description Iain Macaulay IT
network-object 187.187.10.19 255.255.255.255
object-group network John_-_PC
description John MacPhail's PC
network-object 187.187.10.7 255.255.255.255
object-group network it-alahen-lap
network-object 187.187.10.230 255.255.255.255
object-group network Catriona_-_Laptop
description Catriona's Laptop
network-object 187.187.10.60 255.255.255.255
object-group network Graham_-_Laptop
network-object 187.186.10.120 255.255.255.255
object-group network it-innive-xp
description Innes MacIver's PC
network-object 187.187.10.14 255.255.255.255
object-group network it-alahen-xp
description Desktop
network-object 187.187.10.229 255.255.255.255
object-group network Cat_-_PC
description Catriona Macmillan's PC
network-object 187.187.10.4 255.255.255.255
object-group network it-davdon-xp
description Desktop
network-object 187.187.160.7 255.255.255.255
object-group network cat-laptop
description Catriona's Laptop addresses
network-object 187.187.77.81 255.255.255.255
network-object 187.187.77.82 255.255.255.255
object-group network Catriona_old_pc
network-object 187.187.10.44 255.255.255.255
object-group network cat-tablet
description Catriona's Tablet ip address's
network-object 187.187.77.78 255.255.255.254
object-group network DSO-SQLServer
description Task Database Server
network-object 187.187.1.33 255.255.255.255
object-group network it-finfernew-xp
description Findlay Ferguson PC
network-object 187.187.10.153 255.255.255.255
object-group network PC_Support
group-object John_-_Laptop
group-object Graham_-_PC
group-object john_test
group-object Iain_PC
group-object John_-_PC
group-object it-alahen-lap
group-object Catriona_-_Laptop
group-object Graham_-_Laptop
group-object it-alahen-xp
group-object Cat_-_PC
group-object it-davdon-xp
group-object cat-laptop
group-object Catriona_old_pc
group-object cat-tablet
group-object it-innive-xp
network-object 187.187.1.128 255.255.255.255
network-object 187.187.10.76 255.255.255.255
group-object DSO-SQLServer
network-object 187.187.15.234 255.255.255.255
network-object 187.187.4.60 255.255.255.255
network-object 187.187.10.134 255.255.255.255
network-object 172.18.194.22 255.255.255.255
group-object it-finfernew-xp
object-group network Entire_CNE
description Entire CNE range
network-object 187.0.0.0 255.0.0.0
object-group network NET-cnes_HHP-Sty-Staff
network-object 172.20.225.0 255.255.255.0
object-group network NET-cnes_HHP-Balivanich-staff
network-object 172.20.193.0 255.255.255.0
object-group network Alder-Intranet
network-object 192.168.168.13 255.255.255.255
object-group network Aspen-ISA
network-object 192.168.168.10 255.255.255.255
object-group service tcp-8080
description TCP Port 8080
service-object tcp eq 8080
object-group network Beech-External
network-object 217.36.32.210 255.255.255.255
object-group network it-csm
description cisco security manager
network-object 187.187.1.72 255.255.255.255
object-group network Juniper-External
description Internet Server
network-object 217.36.32.211 255.255.255.255
object-group network HHP_Server_Network
network-object 192.168.168.0 255.255.255.0
object-group network Messagelabs_Incoming_HHP
network-object 67.219.240.0 255.255.240.0
network-object 95.131.104.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 194.106.220.0 255.255.254.0
object-group network Angus-Maclean-PC
network-object 187.187.10.250 255.255.255.255
object-group service RDP
service-object tcp eq 3389
object-group network it-dbserver
description Database Server (Live)
network-object 187.187.1.65 255.255.255.255
object-group network it-sql-test
description Test SQL / database server
network-object 187.187.1.81 255.255.255.255
object-group service DNS-Resolving
description Domain Name Server
service-object tcp eq domain
service-object udp eq domain
object-group network Beech-Exchange
network-object 192.168.168.91 255.255.255.255
object-group network Messagelabs_-_Incoming
description List of MessageLab addresses that SMTP connections are accepted from
network-object 212.125.75.0 255.255.255.224
network-object 216.82.240.0 255.255.240.0
network-object 195.216.16.211 255.255.255.255
network-object 194.205.110.128 255.255.255.224
network-object 194.106.220.0 255.255.254.0
network-object 193.109.254.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 62.173.108.208 255.255.255.240
network-object 62.173.108.16 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.245.230.0 255.255.254.0
network-object 85.158.136.0 255.255.248.0
object-group network MIS_Support
network-object 192.168.168.250 255.255.255.254
object-group network it-donadon-xp
description Donald Macdonald's PC
network-object 187.187.10.13 255.255.255.255
object-group network Angela_PC
network-object 187.187.10.155 255.255.255.255
object-group network Katie_PC
network-object 187.187.10.151 255.255.255.255
object-group network Pauline_PC
network-object 187.187.10.12 255.255.255.255
object-group network it-paye-net
network-object 187.187.1.92 255.255.255.255
object-group network MessageLabs-Towers
description Message Labs IP Address ranges
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 212.125.75.16 255.255.255.240
object-group network NET_cnes-castlebay-staff
network-object 172.19.17.0 255.255.255.0
object-group network NET_cnes_tarbert_staff
description NET_cnes_tarbert_staff
network-object 172.19.33.0 255.255.255.0
object-group network Juniper
network-object 192.168.169.5 255.255.255.255
object-group network HHP_DMZ_Network
network-object 192.168.169.0 255.255.255.0
object-group network Ash
network-object 192.168.168.100 255.255.255.255
object-group service UDP-445
service-object udp eq 445
object-group service tcp-udp-135-139
service-object tcp-udp range 135 139
object-group network HHP-ELM
description HHP's ELM ActiveH server
network-object 187.187.1.203 255.255.255.255
object-group network CNES-Ext-GW
description CNES External Address
network-object 194.83.245.242 255.255.255.255
object-group service IPSEC
description IPSEC
service-object 57
service-object ah
service-object esp
service-object udp eq isakmp
object-group network Alamur-PC
network-object 187.187.10.15 255.255.255.255
object-group network Iain-Nicolson-PC
network-object 187.187.10.159 255.255.255.255
object-group network HHP_Remote_Access_Pool
network-object 192.168.168.200 255.255.255.248
network-object 192.168.168.208 255.255.255.240
network-object 192.168.168.224 255.255.255.252
network-object 192.168.168.228 255.255.255.254
object-group network Holly-AV
network-object 192.168.168.9 255.255.255.255
object-group service AVG_Ports
description For AVG server to HHP PCs
service-object tcp-udp eq 6150
service-object tcp-udp eq 6051
service-object tcp-udp eq 445
service-object tcp-udp eq 138
service-object tcp-udp eq 135
service-object tcp-udp eq 6054
service-object tcp-udp eq 4158
service-object tcp-udp eq 139
service-object tcp-udp eq 137
object-group network CNES_Access
network-object 192.168.168.230 255.255.255.254
network-object 192.168.168.232 255.255.255.248
network-object 192.168.168.240 255.255.255.248
network-object 192.168.168.248 255.255.255.254
object-group network HHP-068
description BACS PC
network-object 172.20.225.6 255.255.255.255
object-group network Banyan
network-object 192.168.168.105 255.255.255.255
object-group service TCP81
description TCP Port 81
service-object tcp eq 81
object-group network Gavin_-_new_PC
network-object 187.187.10.150 255.255.255.255
object-group network Secudoors
network-object 172.20.224.4 255.255.255.255
access-list outside_access_in remark Time sync to external ntp server
access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp
access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp
access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network
access-list outside_access_in extended permit tcp any object-group Juniper-External eq www
access-list outside_access_in extended permit tcp any object-group Juniper-External eq https
access-list outside_access_in extended deny ip any any
access-list outside_access_in_1 extended permit ip any any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any
access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any
access-list CSM_FW_ACL_inside remark For Symantec Liveupdates
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https
access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES
access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW
access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network
access-list CSM_FW_ACL_inside remark Time sync to external ntp server
access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp
access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https
access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper
access-list CSM_FW_ACL_inside extended deny ip any any
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https
access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL
access-list CSM_FW_ACL_CNES remark server's access (Task)
access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments
access-list CSM_FW_ACL_CNES remark and Tenancy Changes
access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network
access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224
access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support
access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH
access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended deny ip any any
access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu DMZ 1500
mtu Wireless_HHP 1500
mtu CNES 1500
ip local pool CNES_Access 192.168.168.230-192.168.168.249
ip local pool MIS_Support 192.168.168.250-192.168.168.251
ip local pool OLM-VPN-Pool 192.168.168.252
ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255
nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0
static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0
static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0
static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0
static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255
static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255
static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0
access-group CSM_FW_ACL_inside in interface inside
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
access-group CSM_FW_ACL_DMZ in interface DMZ
access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
access-group CSM_FW_ACL_CNES in interface CNES
route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1
route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HHP protocol ldap
aaa-server HHP (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_1 protocol ldap
aaa-server HHP_1 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_3 protocol ldap
aaa-server HHP_3 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.168.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 194.83.245.242 255.255.255.255 outside
http 187.187.1.72 255.255.255.255 CNES
http 187.187.10.90 255.255.255.255 CNES
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 81.136.160.237
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn none
subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB
keypair SSL_Certificate
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn none
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 0100000000012790a5c005
30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86
4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469
6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261
6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e
697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431
34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504
06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504
07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269
6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564
312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465
616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9
3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23
af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503
fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb
3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055
6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4
77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b
3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98
8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06
03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049
06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470
3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f
6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470
3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469
6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750
baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363
6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d
13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020
06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303
304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06
01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65
742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0
300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355
de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2
6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843
ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c
6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078
9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594
ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40
c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557
b320c4c1 0015d1b7 daad7527 930b0c90 7711704f
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0400000000011e44a5f52a
30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86
4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030
305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69
64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e
302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e
2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105
00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4
ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea
22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540
f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5
462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9
93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8
36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4
80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529
e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603
551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100
301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30
4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601
05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574
2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268
7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372
6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706
0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830
16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7
0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f
9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487
c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce
d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642
beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd
32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff
fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae
e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced
90ec3292 88d9c823 6c7421
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 187.187.1.41 255.255.255.255 inside
ssh 187.187.1.72 255.255.255.255 inside
ssh 187.187.77.81 255.255.255.255 inside
ssh 187.187.10.19 255.255.255.255 inside
ssh 187.187.10.229 255.255.255.255 inside
ssh 187.187.160.7 255.255.255.255 inside
ssh 187.187.1.41 255.255.255.255 outside
ssh 187.187.1.72 255.255.255.255 outside
ssh 187.187.77.81 255.255.255.255 outside
ssh 187.187.10.19 255.255.255.255 outside
ssh 187.187.10.229 255.255.255.255 outside
ssh 187.187.160.7 255.255.255.255 outside
ssh timeout 15
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname B*******.btclick.com
vpdn group BT ppp authentication chap
vpdn username B*******@hg39.btclick.com password *********
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
group-policy HHP_Remote_Access_1 internal
group-policy HHP_Remote_Access_1 attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP_Remote_Access internal
group-policy HHP_Remote_Access attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy Omfax internal
group-policy Omfax attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec webvpn
webvpn
svc ask none default webvpn
group-policy MIS_1 internal
group-policy MIS_1 attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
default-domain value hhp.com
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
group-policy CNES_Access internal
group-policy CNES_Access attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP internal
group-policy HHP attributes
dhcp-network-scope none
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
split-tunnel-policy tunnelall
split-tunnel-network-list none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
webvpn
url-list value Severs
filter none
homepage none
port-forward disable
http-proxy disable
sso-server none
svc dtls none
svc keep-installer none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
svc modules none
svc profiles none
svc ask none default webvpn
customization none
http-comp none
user-storage none
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
deny-message none
group-policy MIS internal
group-policy MIS attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
username test password Kg/Rgy23do7gPGTv encrypted privilege 0
username test attributes
vpn-group-policy HHP_Remote_Access
username catneil password yOgiHCGobUNIkjcN encrypted privilege 0
username omfax password pvUaCLwilGmQVifd encrypted privilege 0
username backup password IHQbl.JAoESlM9Jv encrypted privilege 0
username misadmin password 8IZXmHa67HIJYHK1 encrypted
username misadmin attributes
service-type remote-access
username gramor password ne829U0rGFVEedhY encrypted privilege 15
username gramor attributes
vpn-group-policy HHP_Remote_Access
webvpn
url-list value Severs
username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0
username aim_user attributes
vpn-group-policy CNES_Support
username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0
username katask attributes
vpn-group-policy CNES_Support
username janboyd password ZEUyykwzME6hII2i encrypted privilege 0
username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0
username marste password amwTL584WdiT87Tb encrypted privilege 0
username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0
username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0
username anglea attributes
vpn-group-policy CNES_Support
username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authentication-server-group HHP_1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group HHP_1
default-group-policy HHP
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.168.2 timeout 2 retry 2
nbns-server 192.168.168.3 timeout 2 retry 2
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group HHP_3
default-group-policy HHP
username-from-certificate UID
tunnel-group CNES_Access -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps - -
2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover
Hello,
My senario is as described in Title.
Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
All ADSL connections have static IPs and belong to same ISP.
Need - Site to Site VPN between the routers.
Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
Any help will be appreciated.I don't believe you will find a One solution for this.
An idea would be to have all three ADSLs paired with ADSL on the other side.
Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric.
This will cause IOS to load balance natively.
Potential problem: return path might not be the same as forward path, but it should not matter much for most applications.
Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible.
Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. -
Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?
Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James. -
How to configure routing on site to site VPN(RV215W)
Hi all
I have set up a VPN between a RV215W and SRP521 (site to site)
The VPN is up and connection is established on both side.
However I cannot connect from one network to another (No ping, no connection)
When I checked teh configuration, I noticed that route table on RV215W does not show any ipsec interface nor the route to the remote network
Any hint how to configure this route over the VPN? Should I do it manually or is it a paramater to be made automaticaly?
On the SRP215 the routing is as follow
Destination LAN IP
Subnet Mask
Gateway
Interface
192.168.100.0
255.255.255.0
VLAN100
192.168.15.0
255.255.255.0
VLAN1
192.168.25.0
255.255.255.0
141.48.36.1
ipsec0
41.0.0.0
255.0.0.0
WAN1
41.0.0.0
255.0.0.0
ipsec0
0.0.0.0
0.0.0.0
141.48.36.1
WAN1
On the SRP only local and WAN are displayedHi,
Don't worry about your English - it is good. I am not a native English speaker, either.
You are correct - Cisco's IS-IS has no internal support for optional metrics. The only metric value that is going to be used in best path selection is the default metric. Regarding considerations about metrics in IS-IS, the only consideration I find important is that all new IS-IS deployments should use wide metrics. These can be activated using the metric-style wide in the router isis configuration. Wide metrics allow you to use a significantly wider metric range than the original IS-IS standard: 24 bits for interface metric, and 32 bits for total path metric. It is important to say that all L1 routers within an area, or all L2 routers in the domain must use the same metric type, either the classic (also called narrow) or the new wide metrics.
Apart from that, there are no special considerations I am aware of. The choice of metric values for a particular interface is completely up to you. Of course you might want to configure lower metrics for faster interfaces (and vice versa), but what values you choose is up to you.
Best regards,
Peter
Maybe you are looking for
-
My trackpad is not working, (4 month old macbook pro)
I have a 4 month brand-new macbook pro which is not heavily used at all, one day my trackpad is working fine, today it is moving around extremely erratically, switching from screen to screen, going to mission control with only one finger swipe etc. I
-
Sound distortion every 20 sec on Satellite C
When listening to audio both with and without headphones, every 20 seconds or so the sound output becomes distorted for several seconds and in some cases this sound distortion also causes the computer display to freeze completely. My PC is a Toshiba
-
How can we debug the deleted object?
If one of the object is deleted from the universe and which is in the existing universe, The report will not work. if we refresh the data in the report we will get an error like "Some objects are no longer available in the universe". Is there any way
-
Why can I not select multiple items in Muse using Shift Click after installing update?
I am trying to select multiple items on a Muse page by holding shift and clicking each items. This has been pretty much my standard method across Adobe products but after updating Muse it will no longer let me do this. Am I missing something or did t
-
Using I-photo '11, cannot open "themes, music, or setting" toolbars. Worked earlier with a slideshow(s) I was working on. Re-installed I-Photo and upgrades (lost all of my slideshows in the process). Back where I started. None of the tools respond wh