Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

Similar Messages

• Need help setting up site-to-site VPN between two ASA 5505's

  We have been pulling our hair outtrying to solve this. Below is the running configs for both Sites. We have always used Junipers prior to this. It does not appear that the tunnel is getting created. Any help would be greatly appreciated
  Basic
  Network A: (Dallas)
  10.180.1.0 / 24
  Network B: (Georgia)
  10.180.2.0 /24
  Running Config on Dallas ASA
  : Saved
  ASA Version 8.4(4)1
  hostname ACH-DALLAS
  enable password baW0bWk3Oyn6cZhc encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.180.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 71.123.179.111 255.255.255.0
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Route
  subnet 0.0.0.0 0.0.0.0
  object network Outside
  host 71.123.179.111
  object network Server
  host 10.180.1.3
  object service FTP
  service tcp source range ftp-data ftp destination range ftp-data ftp
  description FTP
  object network FTP_Server
  host 10.180.1.3
  description FTP Server
  object network Site-A-Dallas-Subnet
  subnet 10.180.1.0 255.255.255.0
  description Dallas
  object network Site-B-Georgia-Firewall
  host 173.227.90.194
  description Georgia Firewall
  object network Site-B-Georgia-Subnet
  subnet 10.180.2.0 255.255.255.0
  description Georgia
  object network Georgia
  subnet 10.180.2.0 255.255.255.0
  object network Dallas
  subnet 10.180.1.0 255.255.255.0
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq ftp
  port-object eq ftp-data
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any object FTP_Server object-group DM_INLINE_TCP_1
  access-list outside_1_cryptomap extended permit ip object Georgia object Dallas
  access-list outside_cryptomap extended permit ip object Dallas object Georgia
  pager lines 24
  logging enable
  logging asdm debugging
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Dallas Dallas destination static Georgia Georgia no-proxy-arp route-lookup
  object network FTP_Server
  nat (inside,outside) static interface service tcp ftp ftp
  nat (inside,outside) after-auto source static any interface destination static obj_any obj_any
  nat (inside,outside) after-auto source static any interface service FTP FTP
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 71.123.179.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.180.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association replay window-size 1024
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 173.227.90.194
  crypto map outside_map 1 set ikev1 phase1-mode aggressive
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 1 set ikev2 pre-shared-key *****
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.180.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.180.1.51-10.180.1.254 inside
  dhcpd dns 68.237.112.12 68.238.96.12 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 64.147.116.229 source outside prefer
  webvpn
  group-policy GroupPolicy_173.227.90.194 internal
  group-policy GroupPolicy_173.227.90.194 attributes
  vpn-tunnel-protocol ikev1 ikev2
  tunnel-group 173.227.90.194 type ipsec-l2l
  tunnel-group 173.227.90.194 general-attributes
  default-group-policy GroupPolicy_173.227.90.194
  tunnel-group 173.227.90.194 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:8f338f323a8f642808bd20965b793291
  : end
  no asdm history enable
  Running Config on Georgia ASA
  : Saved
  ASA Version 8.4(4)1
  hostname ACHGeorgia
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.180.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 173.227.90.194 255.255.255.224
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 216.136.95.2
  name-server 64.132.94.250
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Site-A-Dallas-Firewall
  host 71.123.179.111
  description Dallas Firewall
  object network Site-A-Dallas-Subnet
  subnet 10.180.1.0 255.255.255.0
  description Dallas
  object network Site-B-Georgia-Subnet
  subnet 10.180.2.0 255.255.255.0
  description Georgia
  object network Georgia
  subnet 10.180.2.0 255.255.255.0
  object network Dallas
  subnet 10.180.1.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit ip any any
  access-list outside_1_cryptomap extended permit ip object Dallas object Georgia
  access-list outside_cryptomap extended permit ip object Georgia object Dallas
  pager lines 24
  logging enable
  logging asdm debugging
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any interface destination static obj_any any
  nat (any,outside) source dynamic any interface
  nat (inside,outside) source static Georgia Georgia destination static Dallas Dallas no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 173.227.90.193 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.180.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 71.123.179.111
  crypto map outside_map 1 set ikev1 phase1-mode aggressive
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 set ikev2 pre-shared-key *****
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
      308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
      0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
      30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
      13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
      0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
      20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
      65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
      65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
      30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
      30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
      496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
      74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
      68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
      3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
      63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
      0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
      a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
      9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
      7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
      15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
      63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
      18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
      4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
      81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
      db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
      ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
      45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
      2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
      1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
      03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
      69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
      02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
      6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
      c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
      69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
      1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
      551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
      1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
      2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
      4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
      b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
      6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
      481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
      b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
      5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
      6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
      6c2527b9 deb78458 c61f381e a4c4cb66
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.180.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 10.180.2.51-10.180.2.254 inside
  dhcpd dns 216.136.95.2 64.132.94.250 interface inside
  dhcpd enable inside
  dhcpd dns 216.136.95.2 64.132.94.250 interface outside
  no threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy GroupPolicy_71.123.179.111 internal
  group-policy GroupPolicy_71.123.179.111 attributes
  vpn-tunnel-protocol ikev1 ikev2
  tunnel-group 71.123.179.111 type ipsec-l2l
  tunnel-group 71.123.179.111 general-attributes
  default-group-policy GroupPolicy_71.123.179.111
  tunnel-group 71.123.179.111 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:8bf23063c95795ec4cd59cc0e051097f
  : end
  no asdm history enable

  I am fairly new to cisco. I dont have a direct terminal connection. I ran the debug command above and through the GUI I saved these two log files. When I started logging I sent a ping packet to the other side. I can see that the Dallas location attempted to create a tunnel. When I did the same thing from Georgia it did not appear to even attempt to create a tunnel. The other thing I am seeing is that on the Georgia ASA under monitoring->VPN->Sessions there is no status to the right. On the Dallas side I see that there is 1 inactive tunnel. Any suggestions
  Log file from Dallas:
  6|Jan 23 2013|13:43:28|106015|209.221.63.27|143|71.123.179.111|2347|Deny TCP (no connection) from 209.221.63.27/143 to 71.123.179.111/2347 flags FIN ACK  on interface outside
  6|Jan 23 2013|13:43:28|302014|209.221.63.27|143|10.180.1.55|2347|Teardown TCP connection 37396 for outside:209.221.63.27/143 to inside:10.180.1.55/2347 duration 0:00:04 bytes 1603 TCP FINs
  6|Jan 23 2013|13:43:28|302013|10.180.1.55|2348|209.221.63.27|143|Built outbound TCP connection 37398 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2348 (71.123.179.111/2348)
  7|Jan 23 2013|13:43:26|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:24|302013|10.180.1.55|2347|209.221.63.27|143|Built outbound TCP connection 37396 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2347 (71.123.179.111/2347)
  6|Jan 23 2013|13:43:22|302013|10.180.1.55|2346|209.221.63.27|143|Built outbound TCP connection 37395 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2346 (71.123.179.111/2346)
  7|Jan 23 2013|13:43:21|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:21|302014|209.221.62.17|80|10.180.1.58|2982|Teardown TCP connection 37393 for outside:209.221.62.17/80 to inside:10.180.1.58/2982 duration 0:00:00 bytes 1387 TCP FINs
  6|Jan 23 2013|13:43:21|302013|10.180.1.58|2982|209.221.62.17|80|Built outbound TCP connection 37393 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2982 (71.123.179.111/2982)
  6|Jan 23 2013|13:43:18|302014|209.221.62.17|80|10.180.1.58|2981|Teardown TCP connection 37392 for outside:209.221.62.17/80 to inside:10.180.1.58/2981 duration 0:00:00 bytes 668 TCP FINs
  6|Jan 23 2013|13:43:17|302013|10.180.1.58|2981|209.221.62.17|80|Built outbound TCP connection 37392 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2981 (71.123.179.111/2981)
  7|Jan 23 2013|13:43:16|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:14|302014|209.221.62.17|80|10.180.1.58|2978|Teardown TCP connection 37390 for outside:209.221.62.17/80 to inside:10.180.1.58/2978 duration 0:00:02 bytes 59217 TCP FINs
  6|Jan 23 2013|13:43:12|302013|10.180.1.58|2978|209.221.62.17|80|Built outbound TCP connection 37390 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2978 (71.123.179.111/2978)
  7|Jan 23 2013|13:43:12|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:07|302014|209.221.63.27|143|10.180.1.55|2328|Teardown TCP connection 37129 for outside:209.221.63.27/143 to inside:10.180.1.55/2328 duration 0:10:40 bytes 17496 TCP FINs
  6|Jan 23 2013|13:43:04|302014|209.221.62.17|80|10.180.1.58|2977|Teardown TCP connection 37388 for outside:209.221.62.17/80 to inside:10.180.1.58/2977 duration 0:00:01 bytes 28170 TCP FINs
  6|Jan 23 2013|13:43:02|302013|10.180.1.58|2977|209.221.62.17|80|Built outbound TCP connection 37388 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2977 (71.123.179.111/2977)
  6|Jan 23 2013|13:43:01|302014|209.221.62.17|80|10.180.1.58|2976|Teardown TCP connection 37387 for outside:209.221.62.17/80 to inside:10.180.1.58/2976 duration 0:00:00 bytes 668 TCP FINs
  6|Jan 23 2013|13:43:01|302013|10.180.1.58|2976|209.221.62.17|80|Built outbound TCP connection 37387 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2976 (71.123.179.111/2976)
  7|Jan 23 2013|13:43:00|609002|64.74.126.6||||Teardown local-host outside:64.74.126.6 duration 1:12:35
  7|Jan 23 2013|13:42:58|710005|10.180.1.58|3266|71.123.179.111|52698|UDP request discarded from 10.180.1.58/3266 to inside:71.123.179.111/52698
  7|Jan 23 2013|13:42:52|609002|118.2.120.3||||Teardown local-host outside:118.2.120.3 duration 0:10:26
  7|Jan 23 2013|13:42:50|609002|74.125.227.101||||Teardown local-host outside:74.125.227.101 duration 1:20:36
  7|Jan 23 2013|13:42:49|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:46|609002|64.74.103.184||||Teardown local-host outside:64.74.103.184 duration 0:12:34
  6|Jan 23 2013|13:42:46|302014|23.66.230.74|80|10.180.1.55|2320|Teardown TCP connection 37080 for outside:23.66.230.74/80 to inside:10.180.1.55/2320 duration 0:13:01 bytes 2591 FIN Timeout
  7|Jan 23 2013|13:42:44|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:39|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:38|609002|74.125.227.130||||Teardown local-host outside:74.125.227.130 duration 1:12:35
  7|Jan 23 2013|13:42:38|609002|74.125.227.73||||Teardown local-host outside:74.125.227.73 duration 1:12:35
  6|Jan 23 2013|13:42:35|302015|71.123.179.111|500|173.227.90.194|500|Built outbound UDP connection 37383 for outside:173.227.90.194/500 (173.227.90.194/500) to identity:71.123.179.111/500 (71.123.179.111/500)
  5|Jan 23 2013|13:42:34|750001|||||Local:71.123.179.111:500 Remote:173.227.90.194:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.180.1.3-10.180.1.3 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.180.2.1-10.180.2.1 Protocol: 0 Port Range: 0-65535
  5|Jan 23 2013|13:42:34|752003|||||Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = outside_map.  Map Sequence Number = 1.
  7|Jan 23 2013|13:42:34|609001|10.180.2.1||||Built local-host outside:10.180.2.1
  7|Jan 23 2013|13:42:32|609002|192.150.19.49||||Teardown local-host outside:192.150.19.49 duration 1:52:40
  7|Jan 23 2013|13:42:32|609002|10.180.2.1||||Teardown local-host outside:10.180.2.1 duration 0:10:42
  7|Jan 23 2013|13:42:32|609002|98.138.47.63||||Teardown local-host outside:98.138.47.63 duration 1:52:41
  7|Jan 23 2013|13:42:29|609002|184.84.130.70||||Teardown local-host outside:184.84.130.70 duration 1:12:35
  Log file from Georgia:
  7|Jan 23 2013|13:47:49|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:49|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:47|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:47|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:44|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:44|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:42|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:42|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:40|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:40|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:38|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:38|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:30|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:30|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:28|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:28|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:25|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:25|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:23|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:23|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:20|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:20|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:18|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:18|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:16|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:16|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:14|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:14|609001|10.180.1.1||||Built local-host outside:10.180.1.1

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Cisco ASA 5505 Site to Site VPN tunnel up, but not passing traffic

  Thanks to a previous thread, I do have a 5505 up and running, and passing data....
  https://supportforums.cisco.com/message/3900751
  Now I am trying to get a IPSEC VPN tunnel working.
  I actually have it up (IKE phase 1 & 2 both passed), but it is not sending/receiving data through the tunnel.
  The networks concerned:
  name 10.0.0.0  Eventual  (HQ Site behind Firewall)
  name 1.1.1.0  CFS  (Public Network Gateway for Palo Alto Firewall - Firewall IP: 1.1.1.1)
  name 2.2.2.0  T1  (Remote site - Outside interface of 5505: 2.2.2.2)
  name 10.209.0.0  Local  (Remote Network - internal interface of 5505: 10.209.0.3)
  On a ping to the HQ network from behind the ASA, I get....
  portmap translation creation failed for icmp src inside:10.209.0.9 dst inside:10.0.0.33 (type 8, code 0)
  I am suspecting that there is a NAT error and/or a lack of a static route for the rest of the 10.0.0.0 traffic, and that I may have to exempt/route the traffic for the HQ network (10.0.0.0), but I haven't been able to get the correct entries to make it work.
  Below is the config.
  Can anyone see if there is something sticking out?
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 2.2.2.0 T1
  name 1.1.1.0 CFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object CFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 67.139.113.217 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:701d8da28ee256692a1e49d904e9cb04
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location CFS 255.255.255.240 inside
  asdm history enable
  Thank You.

  I'm just re-engaging on the firewall this afternoon, but right now I'm getting request timed out on the pings....
  Here's the output requested:
  Result of the command: "show crypto isakmp sa"
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1 IKE Peer: 1.1.1.1
  Type : L2L Role : initiator
  Rekey : no State : AM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
  access-list outside_1_cryptomap extended permit ip 10.209.0.0 255.255.255.0 10.0.0.0 255.0.0.0
  local ident (addr/mask/prot/port): (Local/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (Eventual/255.0.0.0/0/0)
  current_peer: 1.1.1.1
  #pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: 8FC06BD1
  current inbound spi : 42EC16F4
  inbound esp sas:
  spi: 0x42EC16F4 (1122768628)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62207/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  outbound esp sas:
  spi: 0x8FC06BD1 (2411752401)
  transform: esp-3des esp-md5-hmac no compression
  in use settings ={L2L, Tunnel, PFS Group 2, }
  slot: 0, conn_id: 4096, crypto-map: outside_map
  sa timing: remaining key lifetime (kB/sec): (62201/28464)
  IV size: 8 bytes
  replay detection support: Y
  Anti replay bitmap:
  0x00000000 0x00000001
  Here's the current config:
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.0 Eventual
  name 10.209.0.0 Local
  name 67.139.113.216 T1
  name 1.1.1.0 IntegraCFS
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 0
  ip address 10.209.0.3 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.248
  time-range Indefinite
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_1
  network-object Eventual 255.0.0.0
  network-object T1 255.255.255.248
  network-object IntegraCFS 255.255.255.240
  access-list outside_1_cryptomap extended permit ip Local 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list No_NAT extended permit ip Local 255.255.255.0 Eventual 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list No_NAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 2.2.2.0 1
  route outside Eventual 255.255.255.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Eventual 255.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map 1 set security-association lifetime kilobytes 65535
  crypto map outside_map 1 set phase1-mode aggressive
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.209.0.201-10.209.0.232 inside
  dhcpd dns 8.8.8.8 8.8.4.4 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  group-policy FTMGP internal
  group-policy FTMGP attributes
  vpn-idle-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 general-attributes
  default-group-policy FTMGP
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:301e573544ce0f89b3c597bdfe2c414a
  : end
  asdm location Eventual 255.0.0.0 inside
  asdm location Local 255.255.255.0 inside
  asdm location T1 255.255.255.248 inside
  asdm location IntegraCFS 255.255.255.240 inside
  asdm history enable

• Cisco ASA & Router Site to Site VPN up but not passing traffic

  Dear all,
  Please help me the attached document vpn issue, site-to-site vpn is up but I am not able to passing traffic.
  Advance Thanks
  ahossain

  ASA#
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane
  ASA Version 8.2(1)
  hostname Active
  domain-name test.com
  interface Ethernet0/0
  description LAN/STATE Failover Interface
  interface Ethernet0/1
  speed 100
  nameif outside
  security-level 0
  ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
  interface Ethernet0/3
  description INSIDE
  speed 100
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa821-k8.bin
  boot config disk0:/running-config
  ftp mode passive
  dns server-group DefaultDNS
  domain-name test.com
  access-list deny-flow-max 1
  access-list alert-interval 2
  access-list allow extended permit ip any any
  access-list VPN extended permit ip any any
  access-list OUTSIDE extended permit ip any any
  access-list al-outside extended permit ip any host 212.107.106.129
  access-list al-outside extended permit ip any any
  access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit ip any any
  access-list DMZ_access_out extended permit ip any any
  access-list inside_access_in extended permit ip any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  pager lines 24
  mtu outside 1500
  mtu DMZ 1500
  mtu inside 1500
  failover
  failover lan unit primary
  failover lan interface failover Ethernet0/0
  failover key *****
  failover link failover Ethernet0/0
  failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any DMZ
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
  route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  service resetoutside
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map mal 10 set peer 212.107.106.129
  crypto map IPSec_map 10 match address encrypt_acl
  crypto map IPSec_map 10 set peer 212.107.106.129
  crypto map IPSec_map 10 set transform-set mal
  crypto map IPSec_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 outside
  ==================================================================
  Remote-Router#
  crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp key XXXXXX address 212.71.53.38
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set mal esp-3des esp-md5-hmac
  crypto map mal 10 ipsec-isakmp
  set peer 212.71.53.38
  set transform-set mal
  match address 120
  interface Loopback0
  ip address 10.3.3.1 255.255.255.0
  ip virtual-reassembly in
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 172.20.34.54 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  load-interval 30
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/1
  ip address 212.107.106.129 255.255.255.248
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache
  duplex auto
  speed auto
  crypto map mal
  interface GigabitEthernet0/2
  description *!* LAN *!*
  ip address 10.2.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
  ip nat inside source route-map nonat pool OUTPOOL overload
  ip route 0.0.0.0 0.0.0.0 172.20.34.53
  ip route 10.1.1.0 255.255.255.0 212.107.106.130
  ip route 192.168.50.0 255.255.255.0 212.71.53.38
  ip access-list extended outside
  remark CCP_ACL Category=1
  permit ip any any log
  ip access-list extended outside1
  remark CCP_ACL Category=1
  permit ip any any log
  access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
  access-list 130 permit ip 10.2.2.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 130
  control-plane

• VPN Between Cisco ASA 5505 and Cisco Router 881

  Hi All,
  I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
  Cisco ASA 5505.
  Version 8.4(3)
  HQ-ASA5505(config)# crypto ikev1 policy 888
  HQ-ASA5505(config-ikev1-policy)# authentication pre-share
  HQ-ASA5505(config-ikev1-policy)# encryption 3des
  HQ-ASA5505(config-ikev1-policy)# hash md5
  HQ-ASA5505(config-ikev1-policy)# lifetime 86400
  HQ-ASA5505(config-ikev1-policy)# group 2
  HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
  HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
  HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
  HQ-ASA5505(config)#object network HQ-Users
  HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
  HQ-ASA5505(config)# object-group network HQ.grp
  HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
  HQ-ASA5505(config)#object network FSP_DATA
  HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
  HQ-ASA5505(config)#object-group network FSP.grp
  HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
  HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
  HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
  HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
  HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
  HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
  HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
  HQ-ASA5505(config)# crypto ikev1 enable outside
  HQ-ASA5505(config)# crypto map ouside_map interface outside
  Router 881
  Version 12.4
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  LAB_ROuter(config)#object-group network HQ
  LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
  LAB_ROuter(config)#object-group network FSP
  LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
  ip access-list extended FSP_VPN
   permit ip object-group FSP object-group HQ
  LAB_ROuter(config)#crypto isakmp policy 888
  LAB_ROuter(config-isakmp)#encryption 3des
  LAB_ROuter(config-isakmp)#authentication pre-share
  LAB_ROuter(config-isakmp)#hash md5
  LAB_ROuter(config-isakmp)#group 2
  LAB_ROuter(config-isakmp)#lifetime 86400
  LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
  LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
  crypto map outside_map 888 ipsec-isakmp
   set peer 2.2.2.2
   set transform-set TS
   match address FSP_VPN
  interface fast4 --> Outside Interface (where public IP address is assigned) 
  crypto map outside_map
  Thank you in advance for your prompt advice!

  If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
  This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead.

• Remote Access VPN connecting but not passing traffic

  I have a remote access VPN configured on a device here. I'm able to connect a device and it assigns me an IP address out of the pool, and injects the routes to its local network, but I'm not able to pass any traffic through the VPN and none of the IPSec SA counters increment for the dial-in connection. I've compared the config here to the samples from documentation and I don't know what I'm missing. Config is below.
  3118-FWL001(config)# sho run
  : Saved
  ASA Version 7.2(3)
  hostname 3118-FWL001
  domain-name rr-rentals.com
  enable password hEgvNHfNHV8zypPu encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 199.X.X.162 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd 2KFQnbNIdI.2KYOU encrypted
  banner exec
  banner exec
  banner exec
  banner exec Any attempted or unauthorized access, use, or modification is prohibited.
  banner exec Unauthorized users may face criminal and/or civil penalties.
  banner exec The use of this system may be monitored and recorded.
  banner exec If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner exec provide the records to law enforcement.
  banner exec Be safe!  Do not share your access information with anyone!
  banner exec
  banner exec
  banner exec
  banner asdm
  banner asdm
  banner asdm
  banner asdm Any attempted or unauthorized access, use, or modification is prohibited.
  banner asdm Unauthorized users may face criminal and/or civil penalties.
  banner asdm The use of this system may be monitored and recorded.
  banner asdm If the monitoring reveals possible evidence of criminal activity, Adhost can
  banner asdm provide the records to law enforcement.
  banner asdm Be safe!  Do not share your access information with anyone!
  banner asdm
  banner asdm
  banner asdm
  ftp mode passive
  dns server-group DefaultDNS
   domain-name rr-rentals.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_acl extended permit ip any host 199.X.X.163
  access-list outside_acl extended permit icmp any any echo
  access-list outside_acl extended permit icmp any any echo-reply
  access-list outside_acl extended permit tcp 216.X.X.64 255.255.255.192 any
  access-list outside_acl extended permit tcp host 76.X.X.166 any eq 3389
  access-list outside_acl extended permit tcp 67.X.X.192 255.255.255.224 any eq 3389
  access-list outside_acl extended permit tcp any any eq ftp
  access-list outside_acl extended permit tcp any any eq ftp-data
  access-list outside_acl extended permit tcp host 72.X.X.71 any eq 3389
  access-list outside_acl extended permit tcp host 26.X.X.155 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.155 any eq 3389
  access-list outside_acl extended permit icmp any any unreachable
  access-list outside_acl extended permit icmp any any time-exceeded
  access-list outside_acl extended permit tcp host 71.X.X.170 any eq 3389
  access-list outside_acl extended permit tcp host 24.X.X.200 any eq 3389
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list outside_4_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list outside_3_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list rr-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 192.168.20.1-192.168.20.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 199.X.X.163 192.168.10.2 netmask 255.255.255.255
  access-group outside_acl in interface outside
  route outside 0.0.0.0 0.0.0.0 199.X.X.161 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 216.X.X.64 255.255.255.192 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sysopt connection tcpmss 1200
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 50.X.X.58
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 75.X.X.253
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA
  crypto map outside_map 3 match address outside_3_cryptomap
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer 173.X.X.69
  crypto map outside_map 3 set transform-set ESP-AES-128-SHA
  crypto map outside_map 4 match address outside_4_cryptomap
  crypto map outside_map 4 set pfs
  crypto map outside_map 4 set peer 70.X.X.194
  crypto map outside_map 4 set transform-set ESP-AES-128-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption aes
   hash sha
   group 5
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh 192.168.10.2 255.255.255.255 inside
  ssh 192.168.0.0 255.255.0.0 inside
  ssh 216.X.X.64 255.255.255.192 outside
  ssh 50.X.X.58 255.255.255.255 outside
  ssh timeout 60
  ssh version 2
  console timeout 0
  management-access inside
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  tftp-server outside 216.X.X.116 3118-FWL001.config
  group-policy rr-vpn internal
  group-policy rr-vpn attributes
   dns-server value 216.X.X.12 66.X.X.11
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value rr-vpn_splitTunnelAcl
  username rrlee password B6rKS8LmKC50oIXK encrypted privilege 0
  username rrlee attributes
   vpn-group-policy rr-vpn
  username cschirado password QYICGrOFAZ9iPWpp encrypted privilege 0
  username cschirado attributes
   vpn-group-policy rr-vpn
  username daniel password SZsXZCSuVXcFn9NB encrypted privilege 15
  username adhostadm password 7P2Y2Ow1o0.VSjvh encrypted privilege 15
  username troy password amZKsxVU.8N9kKPb encrypted privilege 0
  username troy attributes
   vpn-group-policy rr-vpn
  username troyr password Hek9zbMrM6wEDSfi encrypted privilege 15
  username druiz password 33oau7XOcvhJ3DMv encrypted privilege 0
  username druiz attributes
   vpn-group-policy rr-vpn
  username theresa password qWsPnR.vfjXzlunC encrypted privilege 0
  username theresa attributes
   vpn-group-policy rr-vpn
  username kevin password R5DPfUVhzGCEg6pu encrypted privilege 0
  username kevin attributes
   vpn-group-policy rr-vpn
  username andrea password MyhIPdH6UJQDon77 encrypted privilege 0
  username andrea attributes
   vpn-group-policy rr-vpn
  tunnel-group 50.X.X.58 type ipsec-l2l
  tunnel-group 50.X.X.58 ipsec-attributes
   pre-shared-key *
  tunnel-group 75.X.X.253 type ipsec-l2l
  tunnel-group 75.X.X.253 ipsec-attributes
   pre-shared-key *
  tunnel-group 72.X.X.71 type ipsec-l2l
  tunnel-group 72.X.X.71 ipsec-attributes
   pre-shared-key *
  tunnel-group 173.X.X.69 type ipsec-l2l
  tunnel-group 173.X.X.69 ipsec-attributes
   pre-shared-key *
  tunnel-group rr-vpn type ipsec-ra
  tunnel-group rr-vpn general-attributes
   address-pool vpnpool
   default-group-policy rr-vpn
  tunnel-group rr-vpn ipsec-attributes
   pre-shared-key *
  tunnel-group 70.X.X.194 type ipsec-l2l
  tunnel-group 70.X.X.194 ipsec-attributes
   pre-shared-key *
  prompt hostname context

  Here are the results of the commands you requested. I'm not able to ping either direction.
  Thanks,
  James
  3118-FWL001# sho cry isa sa
     Active SA: 5
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 5
  1   IKE Peer: 50.34.254.58
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  2   IKE Peer: 173.10.71.69
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  3   IKE Peer: 75.151.109.253
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  4   IKE Peer: 70.99.88.194
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  5   IKE Peer: 216.211.143.85
      Type    : user            Role    : responder
      Rekey   : no              State   : AM_ACTIVE
  3118-FWL001# sho cry ips sa
  interface: outside
      Crypto map tag: outside_dyn_map, seq num: 20, local addr: 199.21.66.162
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.20.2/255.255.255.255/0/0)
        current_peer: 216.211.143.85, username: kevin
        dynamic allocated peer ip: 192.168.20.2
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 216.211.143.85
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: CBF94621
      inbound esp sas:
        spi: 0x8D8279CA (2374138314)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xCBF94621 (3422111265)
           transform: esp-3des esp-sha-hmac none
           in use settings ={RA, Tunnel, }
           slot: 0, conn_id: 200, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 28715
           IV size: 8 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 1, local addr: 199.21.66.162
        access-list outside_1_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        current_peer: 50.34.254.58
        #pkts encaps: 15356573, #pkts encrypt: 15356573, #pkts digest: 15356573
        #pkts decaps: 9021115, #pkts decrypt: 9021114, #pkts verify: 9021114
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 15356573, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 50.34.254.58
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: FE16571B
      inbound esp sas:
        spi: 0x78BD7E4F (2025684559)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4263158/5788)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xFE16571B (4262876955)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 86, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4064653/5788)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 4, local addr: 199.21.66.162
        access-list outside_4_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
        current_peer: 70.99.88.194
        #pkts encaps: 491814, #pkts encrypt: 491814, #pkts digest: 491814
        #pkts decaps: 416810, #pkts decrypt: 416810, #pkts verify: 416810
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 491814, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 70.99.88.194
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 533F55E1
      inbound esp sas:
        spi: 0xE2F461AD (3807666605)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4273818/27167)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x533F55E1 (1396659681)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 194, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4266133/27167)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 2, local addr: 199.21.66.162
        access-list outside_2_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 75.151.109.253
        #pkts encaps: 207718, #pkts encrypt: 207718, #pkts digest: 207718
        #pkts decaps: 142739, #pkts decrypt: 142739, #pkts verify: 142739
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 207722, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 75.151.109.253
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 8D74AC18
      inbound esp sas:
        spi: 0x0CF7F70B (217577227)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4274490/23242)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x8D74AC18 (2373233688)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 195, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270718/23242)
           IV size: 16 bytes
           replay detection support: Y
      Crypto map tag: outside_map, seq num: 3, local addr: 199.21.66.162
        access-list outside_3_cryptomap permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
        current_peer: 173.10.71.69
        #pkts encaps: 3427935, #pkts encrypt: 3427935, #pkts digest: 3427935
        #pkts decaps: 2006044, #pkts decrypt: 2006044, #pkts verify: 2006044
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 3427935, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 199.21.66.162, remote crypto endpt.: 173.10.71.69
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: 2E8A6147
      inbound esp sas:
        spi: 0x467968AB (1182361771)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4270213/18597)
           IV size: 16 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0x2E8A6147 (780820807)
           transform: esp-aes esp-sha-hmac none
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 154, crypto-map: outside_map
           sa timing: remaining key lifetime (kB/sec): (4162093/18597)
           IV size: 16 bytes
           replay detection support: Y
  3118-FWL001# sho run route
  route outside 0.0.0.0 0.0.0.0 199.21.66.161 1

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• VPN PROBLEM CISCO ASA 5505

      Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
       I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
       Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
       The running-config it created is:
  ciscoasa# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ciscoasa
  enable password XXXX encrypted
  passwd XXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.1.254 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ADSL_Telefonica
  ip address pppoe setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.0.0_16
  subnet 172.16.0.0 255.255.0.0
  access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.16.0.0 255.255.0.0 inside
  telnet timeout 55
  ssh 172.16.0.0 255.255.0.0 inside
  ssh timeout 55
  console timeout 0
  vpdn group ADSL_Telefonica request dialout pppoe
  vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
  vpdn group ADSL_Telefonica ppp authentication pap
  vpdn username adslppp@telefonicanetpa password *****
  dhcpd auto_config outside
  dhcpd address 172.16.2.2-172.16.2.129 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy test internal
  group-policy test attributes
  dns-server value 172.16.1.1
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test_splitTunnelAcl
  username test password XXXXXX encrypted privilege 0
  username test attributes
  vpn-group-policy test
  username ignacio password XXXXXXX encrypted
  tunnel-group test type remote-access
  tunnel-group test general-attributes
  address-pool test
  default-group-policy test
  tunnel-group test ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
  : end
  Thank you very much for your help

  Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
  • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
  I should have read Release Notes before. Thank you very much for your help and effort.

• Configurate cisco ipsec vpn client at asa 5505 version 8.4

  Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
  please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
  thank you.

  are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
  what version of vpn client ?

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Remote site redundancy IPSEC VPN between 2911 and ASA

  We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
  Site A has an ASA with one internet circuit.
  Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
  Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
  The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
  What is the best way of achieving this?
  We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
  However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
  I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
  Any help/advice would be appreciated!

  Hello,
  I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
  Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
  Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
  I hope what I wrote makes some sense.

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Standby VPN in the ASA 5505

  Hello, I'm triying find out if there is a way to put a second vpn site-to-site as standby and if the primary come down  this standby come to up.
  for exemplo, I have a ASA 5505 in my branch office I wish add two VPN site-to-site to my head office. one tunnel must be standby and other active.
  there is any way to reach this? the contingency can be by hand it's not necessary be automatic.
  any tip is welcome.
  thanks

  as i unerstand you have two interfacces at the spoke side , then you can do the following :
  apply the same crypto map on both interfaces .
  routing will control to which path the traffic will have and hence which tunnel will be used to encrypt traffic , to ahcieve redundancy with routing you can use SLA and floating routes , this work as you define a route to the primary tunnel with higher metric but this route is associated with a SLA object the tracks the reachability of the primary ISP, when the tracking fails the route will be removed from the routing table and you will be using a secondary route with a higher metric that will send the traffic to the second tunnel and will be only installed when the primary route is down .
  here is a useful example on how to configure SLA on ASA :
  ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
  hope that this will help !
  cheers

• S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across

  Hi,
  I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170.  I have checked the screenshots proivded by the other end and tried to match with ours.  The Tunnel shows but we are not able to Ping resources on the other end.  The other side insists that the problem is on our end but I am not sure where the issue resides.  Please take a look at our config and let me know if there is anything that I have missed.  I am pretty sure I didn't but extra eyes may be of need here.
  Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
  ASA Version 8.2(2)
  terminal width 300
  hostname company-asa
  domain-name Company.com
  no names
  name 10.1.0.0 sacramento-network
  name 10.3.0.0 irvine-network
  name 10.2.0.0 portland-network
  name x.x.x.x MailLive
  name 192.168.9.0 revit-vpn-remote-subnet
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.128
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.200.200.1 255.255.0.0
  interface Ethernet0/2
  nameif dmz
  security-level 50
  ip address 172.22.22.1 255.255.255.0
  interface Ethernet0/3
  description Internal Wireless
  shutdown
  nameif Wireless
  security-level 100
  ip address 10.201.201.1 255.255.255.0
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  boot system disk0:/asa822-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name company.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network local_net_group
  network-object 10.1.0.0 255.255.0.0
  network-object 10.2.0.0 255.255.0.0
  network-object 10.200.0.0 255.255.0.0
  network-object 10.3.0.0 255.255.0.0
  network-object 10.4.0.0 255.255.0.0
  network-object 10.5.0.0 255.255.0.0
  network-object 10.6.0.0 255.255.0.0
  network-object 10.7.0.0 255.255.0.0
  network-object 192.168.200.0 255.255.255.0
  object-group network NACIO123
  network-object 1.1.1.1 255.255.255.224
  object-group service MAIL_HTTPS_BORDERWARE tcp
  port-object eq smtp
  port-object eq https
  port-object eq 10101
  object-group service SYSLOG_SNMP_NETFLOW udp
  port-object eq syslog
  port-object eq snmp
  port-object eq 2055
  object-group service HTTP_HTTPS tcp
  port-object eq www
  port-object eq https
  object-group network OUTSIDECO_SERVERS
  network-object host x.x.x.34
  network-object host x.x.x.201
  network-object host x.x.x.63
  object-group network NO-LOG
  network-object host 10.200.200.13
  network-object host 10.200.200.25
  network-object host 10.200.200.32
  object-group service iPhoneSync-Services-TCP tcp
  port-object eq 993
  port-object eq 990
  port-object eq 998
  port-object eq 5678
  port-object eq 5721
  port-object eq 26675
  object-group service termserv tcp
  description terminal services
  port-object eq 3389
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DTI tcp
  description DCS CONTROL PROTOCOL
  port-object eq 3333
  object-group service H.245 tcp
  description h.245 signaling
  port-object range 1024 4999
  object-group service RAS udp
  port-object eq 1719
  port-object range 1718 1720
  object-group service XML tcp
  port-object range 3336 3341
  object-group service mpi tcp
  port-object eq 2010
  object-group service mvp_control tcp
  port-object eq 2946
  object-group service rpc tcp-udp
  port-object eq 1809
  object-group service tcp8080 tcp
  port-object eq 8080
  object-group service tcp8011 tcp
  port-object eq 8011
  object-group service rtp_rtcp_udp udp
  port-object range 1024 65535
  object-group service ecs_xml tcp-udp
  port-object eq 3271
  object-group service rtp20000 udp
  description 10000-65535
  port-object range 20000 25000
  port-object range 10000 65535
  object-group service tcp5222 tcp
  port-object range 5222 5269
  object-group service tcp7070 tcp
  port-object eq 7070
  object-group network videoco
  network-object host x.x.x.144
  network-object host x.x.x.145
  object-group service video tcp
  port-object range 1718 h323
  object-group service XML2 tcp-udp
  port-object range 3336 3345
  object-group service tcp_tls tcp
  port-object eq 5061
  object-group service Autodesk tcp
  port-object eq 2080
  port-object range 27000 27009
  access-list outside_policy remark ====== Begin Mail From Postini Network ======
  access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
  access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
  access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
  access-list outside_policy remark ****** End Mail From Postini Network ******
  access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
  access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
  access-list outside_policy remark ****** End Inbound Web Mail Access ******
  access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
  access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
  access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
  access-list outside_policy remark ====== Begin MARS Monitoring ======
  access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
  access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
  access-list outside_policy remark ****** End MARS Monitoring ******
  access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
  access-list outside_policy extended permit tcp any host x.x.x.x eq www
  access-list outside_policy extended permit tcp any host x.x.x.x eq https
  access-list outside_policy extended permit tcp any host x.x.x.x eq h323
  access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
  access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
  access-list outside_policy remark radvision 5110   port 80 both
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
  access-list outside_policy remark radvision
  access-list outside_policy extended permit tcp any object-group videoco object-group termserv
  access-list outside_policy remark radvision 5110  port21 out
  access-list outside_policy extended permit tcp any object-group videoco eq ftp
  access-list outside_policy remark rad5110   port22 both
  access-list outside_policy extended permit tcp any object-group videoco eq ssh
  access-list outside_policy remark rad 5110  port161 udp both
  access-list outside_policy extended permit udp any object-group videoco eq snmp
  access-list outside_policy remark rad5110 port443 both
  access-list outside_policy extended permit tcp any object-group videoco eq https
  access-list outside_policy remark rad5110 port 1024-4999  both
  access-list outside_policy extended permit tcp any object-group videoco object-group H.245
  access-list outside_policy remark rad5110 port 1719 udp both
  access-list outside_policy extended permit udp any object-group videoco object-group RAS
  access-list outside_policy remark rad5110 port 1720 both
  access-list outside_policy extended permit tcp any any eq h323
  access-list outside_policy remark RAD 5110 port 3333 tcp both
  access-list outside_policy extended permit tcp any object-group videoco object-group DTI
  access-list outside_policy remark rad5110 port 3336-3341 both
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
  access-list outside_policy remark port 5060 tcp/udp
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
  access-list outside_policy remark rad 5110port 1809 rpc both
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
  access-list outside_policy remark rad 5110 port 2010 both
  access-list outside_policy extended permit tcp any object-group videoco object-group mpi
  access-list outside_policy remark rad 5110 port 2946 both
  access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
  access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
  access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
  access-list outside_policy remark 1024-65535
  access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
  access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
  access-list outside_policy extended permit tcp any object-group videoco eq telnet
  access-list outside_policy remark port 53 dns
  access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
  access-list outside_policy remark 7070
  access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
  access-list outside_policy remark 5222-5269 tcp
  access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
  access-list outside_policy extended permit tcp any object-group videoco object-group video
  access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
  access-list outside_policy remark ====== Begin Autodesk Activation access ======
  access-list outside_policy extended permit tcp any any object-group Autodesk
  access-list outside_policy remark ****** End Autodesk Activation access ******
  access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
  access-list outside_policy remark ****** End Autodesk Activation access ******
  access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
  access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
  access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
  access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
  access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
  access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
  access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
  access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
  access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
  access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
  access-list inside_policy remark ****** End Outbound Mail Server Rules ******
  access-list inside_policy extended permit ip object-group local_net_group any
  access-list inside_policy extended permit icmp object-group local_net_group any
  access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
  access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
  access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
  access-list company-split-tunnel remark Video
  access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
  access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
  access-list SSL_SPLIT remark Video
  access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
  access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
  access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
  access-list tom extended permit tcp host x.x.x.x any eq smtp
  access-list tom extended permit tcp host 10.200.200.222 any eq smtp
  access-list tom extended permit tcp any host x.x.x.x
  access-list aaron extended permit tcp any any eq 2967
  access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
  access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
  access-list DMZ extended permit icmp any any
  access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
  access-list dmz_access_in extended permit icmp any any
  access-list dmz_access_in extended permit tcp any any eq ftp
  access-list dmz_access_in extended permit tcp any any eq https
  access-list dmz_access_in remark rad5110 port 162 out
  access-list dmz_access_in extended permit udp any any eq snmptrap
  access-list dmz_access_in remark port 23 out
  access-list dmz_access_in extended permit tcp any any eq telnet
  access-list dmz_access_in remark port 53 dns out
  access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
  access-list dmz_access_in extended permit object-group TCPUDP any any eq www
  access-list dmz_access_in extended permit tcp any any eq h323
  access-list dmz_access_in extended permit tcp any any object-group XML
  access-list dmz_access_in extended permit udp any any object-group RAS
  access-list dmz_access_in extended permit tcp any any range 1718 h323
  access-list dmz_access_in extended permit tcp any any object-group H.245
  access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
  access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
  access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
  access-list dmz_access_in extended permit ip object-group local_net_group any
  access-list dmz_access_in remark port 5061
  access-list dmz_access_in extended permit tcp any any object-group tcp_tls
  access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered warnings
  logging trap informational
  logging history informational
  logging asdm warnings
  logging host outside x.x.x.x
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  mtu Wireless 1500
  mtu management 1500
  ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
  ip verify reverse-path interface outside
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-631.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT_SSL
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
  static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
  static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
  static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
  static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
  static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
  static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
  static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
  static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
  static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
  static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
  static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
  static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
  static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
  static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
  access-group outside_policy in interface outside
  access-group inside_policy in interface inside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
  route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
  route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
  route inside x.x.x.0 255.255.255.0 10.200.200.2 1
  route inside x.x.x.0 255.255.255.0 10.200.200.2 1
  route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
  route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server COMPANY-NT-AUTH protocol nt
  aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
  nt-auth-domain-controller DC
  aaa authentication ssh console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 10.200.200.0 255.255.255.0 inside
  http 10.200.0.0 255.255.0.0 inside
  http 10.3.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto map OUTSIDE_MAP 5 match address outside_cryptomap
  crypto map OUTSIDE_MAP 5 set pfs
  crypto map OUTSIDE_MAP 5 set peer x.x.x.53
  crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
  crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
  crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
  crypto map OUTSIDE_MAP 10 set peer x.x.x.25
  crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
  crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
  crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
  crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map OUTSIDE_MAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 28800
  crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 20
  console timeout 0
  dhcpd dns 10.200.200.220 10.200.200.225
  dhcpd wins 10.200.200.220 10.200.200.225
  dhcpd lease 18000
  dhcpd domain company.com
  dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
  dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
  dhcpd lease 18000 interface Wireless
  dhcpd domain company.com interface Wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.5.41.40 source outside prefer
  ssl trust-point vpn.company.com outside
  webvpn
  enable outside
  anyconnect-essentials
  svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
  svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
  svc enable
  tunnel-group-list enable
  group-policy SSL_Client_Policy internal
  group-policy SSL_Client_Policy attributes
  wins-server value 10.200.200.220
  dns-server value 10.200.200.220
  vpn-tunnel-protocol IPSec svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SSL_SPLIT
  default-domain value company.com
  webvpn
    sso-server none
    auto-signon allow uri * auth-type all
  group-policy no-split-test internal
  group-policy no-split-test attributes
  banner value Welcome to company and Associates
  banner value Welcome to company and Associates
  dns-server value 10.200.200.220
  vpn-tunnel-protocol IPSec
  ipsec-udp enable
  split-tunnel-policy tunnelall
  default-domain value company.com
  group-policy DfltGrpPolicy attributes
  dns-server value 10.200.200.220
  default-domain value company.com
  group-policy company internal
  group-policy company attributes
  banner value Welcome to company and Associates
  banner value Welcome to company and Associates
  dns-server value 10.200.200.220
  vpn-tunnel-protocol IPSec
  ipsec-udp enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value SSL_SPLIT
  default-domain value company.com
  username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool SSL_VPN_POOL
  authentication-server-group COMPANY-NT-AUTH
  default-group-policy SSL_Client_Policy
  tunnel-group DefaultWEBVPNGroup webvpn-attributes
  group-alias company_SSL_VPN enable
  tunnel-group company_group type remote-access
  tunnel-group company_group general-attributes
  address-pool SSL_VPN_POOL
  authentication-server-group COMPANY-NT-AUTH LOCAL
  default-group-policy company
  tunnel-group company_group ipsec-attributes
  pre-shared-key *****
  tunnel-group x.x.x.53 type ipsec-l2l
  tunnel-group x.x.x.53 ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect tftp
    inspect esmtp
    inspect ftp
    inspect icmp
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect mgcp
    inspect h323 h225
    inspect h323 ras
    inspect sip
  service-policy global_policy global
  privilege cmd level 5 mode exec command ping
  privilege cmd level 6 mode exec command write
  privilege show level 5 mode exec command running-config
  privilege show level 5 mode exec command version
  privilege show level 5 mode exec command conn
  privilege show level 5 mode exec command memory
  privilege show level 5 mode exec command cpu
  privilege show level 5 mode exec command xlate
  privilege show level 5 mode exec command traffic
  privilege show level 5 mode exec command interface
  privilege show level 5 mode exec command clock
  privilege show level 5 mode exec command ip
  privilege show level 5 mode exec command failover
  privilege show level 5 mode exec command arp
  privilege show level 5 mode exec command route
  privilege show level 5 mode exec command blocks
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
  : end
  COMPANY-asa#

  Hi Sian,
  Yes on their end the PFS is enabled for DH Group 2.
  Here is the information that you requested:
  company-asa# sh crypto isakmp sa
     Active SA: 3
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 3
  1   IKE Peer: x.x.x.87
      Type    : user            Role    : responder
      Rekey   : no              State   : AM_ACTIVE
  2   IKE Peer: x.x.x.53
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  3   IKE Peer: x.x.x.25
      Type    : user            Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG4
  company-asa# sh crypto ipsec sa
  interface: outside
      Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
        access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
        local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
        current_peer: x.x.x.53
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: 500EC8BF
        current inbound spi : 8DAE3436
      inbound esp sas:
        spi: 0x8DAE3436 (2377004086)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
           sa timing: remaining key lifetime (kB/sec): (3914946/24388)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x500EC8BF (1343146175)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 2, }
           slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
           sa timing: remaining key lifetime (kB/sec): (3915000/24388)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
      Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
        local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
        remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
        current_peer: x.x.x.87, username: ewebb
        dynamic allocated peer ip: 172.20.20.8
        #pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
        #pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
        #send errors: 0, #recv errors: 0
        local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
        path mtu 1500, ipsec overhead 66, media mtu 1500
        current outbound spi: 2D712C9F
        current inbound spi : 0EDB79C8
      inbound esp sas:
        spi: 0x0EDB79C8 (249264584)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 18262
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0x2D712C9F (762391711)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={RA, Tunnel,  NAT-T-Encaps, }
           slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
           sa timing: remaining key lifetime (sec): 18261
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001