Site to site VPN re-connection issue

Similar Messages

• Tiger VPN (PPTP) connection issues

  Hello everyone.
  I'm having major issues trying to connect to office VPN from home; hoping someone can point me in the right direction. (And my profound apologies in advance for the long post -- just trying make sure to include enough detail to debug whatever might be happening)
  At the office we have a 3Com OfficeConnect VPN Firewall sitting in front of a Microsoft 2003 Exchange server. (3Com product page for this VPN box is http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CR870-95&pathtyp e=purchase). Home connection is a Linksys WRT54GL wireless router in front of a broadband cable modem. PPTP pass-through is enabled in the router config.
  At home I have a WinXP-SP2 laptop and my G4 Powerbook (OS 10.4.7) sitting side-by-side. From the XP laptop, I can get into the VPN using XP's built-in client without any problems. The DNS lookup and authentication steps take about 2-3 seconds combined. Once the connection is established, both external sites (cnn.com) and internal sites (intranet.companyname.local) load in a browser window without any appreciable delay. I can also access Windows shared drives on the internal network without problems, including large (10's of MB or more) file copies to/from the XP laptop's HD.
  On the Powerbook, using Tiger's built-in VPN client, I can connect OK (though the authentication step takes a bit longer, about 4-5 seconds), but after that, almost nothing works. I can ping the internal DNS server, but after a few pings with reasonable delays (~15 millisecond range), the round-trip times suddenly jump to handfuls of seconds. In the browser, trying to load an internal webpage (http://intranet.companyname.local) times out before anything shows up on screen. In Finder, using Go>Connect to Server... very slowly establishes the connection (~10-15 seconds or longer), and sometimes opens a Finder window... but then invariably times out. I have never once had the connection remain stable enough to transfer so much as a single file from the shared volume onto the Powerbook's Desktop before it times out and disconnects.
  On the XP machine, relevant(?) VPN config settings are:
  require secured password
  require data encryption (disconnect if none)
  PPTP VPN
  LCP extensions enabled
  software compression enabled
  multi-link negotiation for single link connections DISABLED
  server type = PPP
  transports = TCP/IP
  authentication = MS CHAP
  encryption = MPPE 128
  compression = none
  PPP multilink framing = off
  and, once the VPN connection is established, parameters are (from "ipcofig /all"):
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : (companyname)-hj2
  Primary Dns Suffix . . . . . . . : (companyname).local
  Node Type . . . . . . . . . . . . : Unknown
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : (companyname).local
  Ethernet adapter Wireless Network Connection:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2915ABG Network Connection
  Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
  Dhcp Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IP Address. . . . . . . . . . . . : 192.168.1.104
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . : 192.168.1.1
  DHCP Server . . . . . . . . . . . : 192.168.1.1
  DNS Servers . . . . . . . . . . . : 192.168.1.1
  PPP adapter (ConnectionName):
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
  Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
  Dhcp Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 172.16.0.70
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . : 172.16.0.70
  DNS Servers . . . . . . . . . . . : 172.16.0.11
  finally, results of "ping -n 10 (InternalServer)":
  Pinging (InternalServer).(companyname).local [172.16.0.5] with 32 bytes of data:
  Reply from 172.16.0.5: bytes=32 time=4ms TTL=128
  Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
  Reply from 172.16.0.5: bytes=32 time=10ms TTL=128
  Ping statistics for 172.16.0.5:
  Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 4ms, Maximum = 10ms, Average = 9ms
  On the Powerbook, I have a VPN (PPTP) connection set up with "Send all traffic over VPN connection" unchecked. In the Network panel of System Preferences, I have tried manually adding (and removing) "local, (companyname).local" in the Search Domains line, and manually adding (and removing) the IPs of our internal DNS servers (172.16.0.5, 172.16.0.11) under the TCP/IP tab. Proxies are turned off in all cases.
  With those settings, the relevant(?) parts of running "ifconfig" from a Terminal window after starting the VPN are as follows:
  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  inet6 fe80::XXX:XXXX:XXXX:XXXX%en1 prefixlen 64 scopeid 0x5
  inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
  ether XX:XX:XX:XX:XX:XX
  media: autoselect status: active
  supported media: autoselect
  fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
  lladdr XX:XX:XX:XX:XX:XX:XX:XX
  media: autoselect <full-duplex> status: inactive
  supported media: autoselect <full-duplex>
  ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1444
  inet 172.16.0.69 --> 172.16.0.11 netmask 0xffff0000
  The associated connection log from Internet Connect is:
  Tue Jul 18 08:50:57 2006 : PPTP connecting to server 'vpn.(companyname).com' (XXX.XXX.XXX.XXX)...
  Tue Jul 18 08:50:57 2006 : PPTP connection established.
  Tue Jul 18 08:50:58 2006 : using link 0
  Tue Jul 18 08:50:58 2006 : Using interface ppp0
  Tue Jul 18 08:50:58 2006 : Connect: ppp0 <--> socket[34:17]
  Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xb851f701> <pcomp> <accomp>]
  Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfReq id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
  Tue Jul 18 08:50:58 2006 : lcp_reqci: returning CONFACK.
  Tue Jul 18 08:50:58 2006 : sent [LCP ConfAck id=0x1 <mru 1492> <auth chap MS> <magic 0x80697000>]
  Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
  Tue Jul 18 08:50:58 2006 : sent [LCP ConfReq id=0x2 <magic 0xb851f701>]
  Tue Jul 18 08:50:58 2006 : rcvd [LCP ConfAck id=0x2 <magic 0xb851f701>]
  Tue Jul 18 08:50:58 2006 : sent [LCP EchoReq id=0x0 magic=0xb851f701]
  Tue Jul 18 08:50:58 2006 : rcvd [CHAP Challenge id=0x1 <4f0656add65818c2>, name = "Guest"]
  Tue Jul 18 08:50:58 2006 : sent [CHAP Response id=0x1 <0000000000000000000000000000000000000000000000004c86e5ccf08b95431034ef14706021 d358dc21b96a59157301>, name = "(UserName)"]
  Tue Jul 18 08:50:58 2006 : rcvd [LCP EchoRep id=0x0 magic=0x80697000]
  Tue Jul 18 08:50:58 2006 : rcvd [CHAP Success id=0x1 "Authentication succeeded, welcome!"]
  Tue Jul 18 08:50:58 2006 : CHAP authentication succeeded: Authentication succeeded, welcome!
  Tue Jul 18 08:50:58 2006 : Disabling 40-bit MPPE; MS-CHAP LM not supported
  Tue Jul 18 08:50:58 2006 : sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
  Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
  Tue Jul 18 08:50:58 2006 : sent [IPCP TermAck id=0x1]
  Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H +M +S +L -D -C>]
  Tue Jul 18 08:50:58 2006 : sent [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
  Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
  Tue Jul 18 08:50:58 2006 : rcvd [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
  Tue Jul 18 08:50:58 2006 : sent [CCP ConfAck id=0x2 <mppe +H -M +S -L -D -C>]
  Tue Jul 18 08:50:58 2006 : MPPE 128-bit stateless compression enabled
  Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
  Tue Jul 18 08:50:58 2006 : sent [IPV6CP ConfReq id=0x1 <addr fe80::020a:95ff:fea5:564c>]
  Tue Jul 18 08:50:58 2006 : sent [ACSCP] 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01
  Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x1 80 57 01 01 00 0e 01 0a 02 0a 95 ff fe a5 56 4c]
  Tue Jul 18 08:50:58 2006 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 10 01 06 00 00 00 01 02 06 00 00 00 01]
  Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0>]
  Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0>]
  Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfNak id=0x2 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:50:58 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:50:58 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:01 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:01 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:04 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:04 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:07 2006 : sent [IPCP ConfReq id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:07 2006 : rcvd [IPCP ConfAck id=0x3 <addr 172.16.0.69> <ms-dns1 172.16.0.11>]
  Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x1 <addr 172.16.0.11> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
  Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-REJ
  Tue Jul 18 08:51:08 2006 : sent [IPCP ConfRej id=0x1 <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
  Tue Jul 18 08:51:08 2006 : rcvd [IPCP ConfReq id=0x2 <addr 172.16.0.11>]
  Tue Jul 18 08:51:08 2006 : ipcp: returning Configure-ACK
  Tue Jul 18 08:51:08 2006 : sent [IPCP ConfAck id=0x2 <addr 172.16.0.11>]
  Tue Jul 18 08:51:08 2006 : ipcp: up
  Tue Jul 18 08:51:08 2006 : local IP address 172.16.0.69
  Tue Jul 18 08:51:08 2006 : remote IP address 172.16.0.11
  Tue Jul 18 08:51:08 2006 : primary DNS address 172.16.0.11
  The problem is that despite this apparently successful negotiation, the VPN connection doesn't really work. If I type "intranet" into the browser URL bar, it doesn't pick it up as "intranet.companyname.local" and instead treats this as a search query, which it passes to google... which times out. If I type "intranet.companyname.local" into the URL bar instead, it appears to do the DNS lookup correctly... but then times out again.
  Ping times look like this at first:
  PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
  64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=16.605 ms
  64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=15.920 ms
  64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=16.154 ms
  ^C
  --- (InternalServer).(companyname).local ping statistics ---
  3 packets transmitted, 3 packets received, 0% packet loss
  round-trip min/avg/max/stddev = 15.920/16.226/16.605/0.284 ms
  ... but then if I try it again two seconds later:
  PING (InternalServer).(companyname).local (172.16.0.5): 56 data bytes
  64 bytes from 172.16.0.5: icmp_seq=0 ttl=128 time=727.144 ms
  64 bytes from 172.16.0.5: icmp_seq=1 ttl=128 time=1727.030 ms
  64 bytes from 172.16.0.5: icmp_seq=2 ttl=128 time=2727.260 ms
  64 bytes from 172.16.0.5: icmp_seq=3 ttl=128 time=3726.747 ms
  64 bytes from 172.16.0.5: icmp_seq=4 ttl=128 time=5723.986 ms
  64 bytes from 172.16.0.5: icmp_seq=5 ttl=128 time=5719.810 ms
  64 bytes from 172.16.0.5: icmp_seq=6 ttl=128 time=6720.334 ms
  64 bytes from 172.16.0.5: icmp_seq=7 ttl=128 time=6719.848 ms
  ^C
  --- (InternalServer).(companyname).local ping statistics ---
  15 packets transmitted, 8 packets received, 46% packet loss
  round-trip min/avg/max/stddev = 727.144/4224.020/6720.334/2176.543 ms
  OK, enough for now. Can anyone spot what I might be doing wrong, and/or suggest something to try to remedy this? If there is any additional logging/debug info that would be useful, please ask and I will track it down.
  Thanks very much in advance!!! /HJ

  Problem not entirely solved, but mostly working now. It turns out the issue was with the 3Com OfficeConnect VPN box. It was causing all sorts of headaches and had to be manually power cycled at least once a week, so we ditched it and got a Linux-based Firewall/VPN appliance (http://www.ingate.com/ingate_vpn.php).
  Now I can connect and mount Windows drives via SMB (both the command line and the Finder's "Connect to Server" approach seem to work). Performance still exhibits annoying lags at random times, and occasionally the VPN connection disconnects for no good reason, but at least I can get at my files from home. The other issues -- such as being able to resolve "xxx.yyy.local" addresses in the browser by making sure I hit the internal DNS server before any external ones -- all seem to be network configuration issues on my end.
  In short, my guess is that the 3Com box was causing issues with some low-level timing parameters or other related settings in how the VPN connection was being established. I was just starting to teach myself about ARP tables, NTLMv2 authentication, and the like when we replaced it with the new firewall.
  Hope this helps.
  /Heywood

• SCCM Console Won't Connect to Site Server WMI Connection Issues

  Ok, I've been scratching my head with this one for a while. We're running SCCM 2007 R3 in native mode, site server is Win 2008 Std R2, Config Mgr database sits on a seperate SQL box. When I launch the console (user account I use when logged into server
  which is a member of SMS Admins group) on my Win 7 machine I receive the error..
  The ConfigMgr console could not connect to the Config Mgr site database. Verify that this computer has network connectivity to the SMS Provider computer and that your user account has Remote Activation permissions on both the Config Mgr site server and SMS
  Provider computers
  I've read numerous articles around DCOM permissions, I can confirm have all been set on the site server and SMS Admins group has the Remote Activation permission checked. Also I can open WMI, select properties to view the WMI namespace structure, permissions
  on the SMS folder and subfolders are set as per microsoft articles.
  So then I launched wbemtest from my Win 7 machine, when I try and connect to
  \\[SiteServer]\root\sms\Site_SiteCode. I receive WMI error below. I can however connect successfully to WMI on any other server
  Number: 0x80070005
  Facility: Win32
  Description: Access is denied
  When logged into SCCM Site server and open wbemtest I can't remotely connect using WMI to any server in our domain, each time receiving the error below.
  Error
  Number: 0x800706ba
  Facility: Win32
  Description: The RPC server is unavailable
  Whilst logged onto the site server I can use wbemtest to connect to itself using the SMS Provider namespace(\\[SiteServer]\root\sms\Site_SiteCode) which would suggest the WMI isn't corrupt.
  It appears that I can't connect remotely to or from this machine using WMI, that something is blocking or not allowing the connection maybe? Please note the Windows Firewall is disabled, we don't use any third party firewall software on our servers and
  WMI service is started.
  Any ideas or suggestions on this one would be most welcome.
  Cheers

  Hi Eswar, thanks for the reply. This is the extract from the adminUI.log when I try and launch the console
  [6][20/01/2012 10:24:21] :Insufficient privilege to connect, error: 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'\r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n  
  at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObjectSearcher.Initialize()
     at System.Management.ManagementObjectSearcher.Get()
     at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.Connect(String configMgrServerPath)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)\r\n
  [6][20/01/2012 10:24:21] :Microsoft.ConfigurationManagement.ManagementProvider.SmsConnectionException\r\nThe ConfigMgr Administrator console could not connect to the ConfigMgr site database. Verify your user has read permissions to the ConfigMgr site and then
  try to connect again.
  \r\n   at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.BuildTreeWorker()\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
  \r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObjectSearcher.Initialize()
     at System.Management.ManagementObjectSearcher.Get()
     at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.Connect(String configMgrServerPath)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)\r\n
  [8][20/01/2012 10:25:37] :Insufficient privilege to connect, error: 'Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'\r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n  
  at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObjectSearcher.Initialize()
     at System.Management.ManagementObjectSearcher.Get()
     at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.Connect(String configMgrServerPath)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)\r\n
  [8][20/01/2012 10:25:37] :Microsoft.ConfigurationManagement.ManagementProvider.SmsConnectionException\r\nThe ConfigMgr Administrator console could not connect to the ConfigMgr site database. Verify your user has read permissions to the ConfigMgr site and then
  try to connect again.
  \r\n   at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.BuildTreeWorker()\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
  \r\nSystem.UnauthorizedAccessException\r\nAccess is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\r\n   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
     at System.Management.ManagementScope.InitializeGuts(Object o)
     at System.Management.ManagementScope.Initialize()
     at System.Management.ManagementObjectSearcher.Initialize()
     at System.Management.ManagementObjectSearcher.Get()
     at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlConnectionManager.Connect(String configMgrServerPath)
     at Microsoft.ConfigurationManagement.AdminConsole.SmsSiteConnectionNode.GetConnectionManagerInstance(String connectionManagerInstance)\r\n
  [3][20/01/2012 10:25:48] :Failure while loading required 'WQL' query engine, console cannot connect

• WLC 5508 7.0.98.0 has vpn client connection issues

  Hi
  my guest ssid is set to L2 security none and L3 Web policy and authentication local. clients that need to connect to some vpn server (internet) are reporting disconnection issues with the vpn session but not the wireless network. as soon as they get connected via another wireless internet connection the vpn connection gets stable. that makes me thing is in deed the my wireless network the one causing issues.  is there a know issues with the web authentication WLAN and vpn clients?  no firewall in the middle.
  Exclusionlist.................................... Disabled
  Session Timeout.................................. Infinity
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ xxxxxxxxxxxxxxxx
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled
          ACL............................................. Unconfigured
          Web Authentication server precedence:
          1............................................... local
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Learn IP Address....................... Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled

  Thanks Scott,
  We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
  we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.98.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... N/A
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console                                                        1.27
  Build Type....................................... DATA + WPS
  System Name...................................... Airespace_01
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  IP Address....................................... 10.0.0.201
  Last Reset....................................... Power on reset
  System Up Time................................... 9 days 2 hrs 57 mins 21 secs
  System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
  Current Boot License Level....................... base
  Current Boot License Type........................ Permanent
  Next Boot License Level.......................... base
  Next Boot License Type........................... Permanent
  Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
  Is the below Upgrade Path make sense ?
  1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
  2. Upgrade the secondary controller and reboot
  3. Failover the APs to secondary controller and test
  Siddhartha

• Hardware 3002 VPN desktop connection issue

  Customer using a windows xp workstation fails to connect to the domain through the VPN tunnel. appears that the IP traffic is not flowing until a ping is initiated form the host end of the tunnel. The 3002 tunnel connects to the 3015 without any issues, all traffic is tunneled. This is an ethernet connection to an ISP. After the workstation is pinged from the host end the user can then logoff and logon then has domain autthetication and can then get to domain resources.

  disable the ip inspect command on the inside interface and then try again it will work

• Cisco ASA Site to Site VPN with routers on inside

  I have been asked to setup a site to site vpn to connect two remote offices.
  We have two ASA 5510's, one on each side.
  I can get the two ASA's setup and setup the VPN and have everything work like it is suppose to. Traffic passing from local network to remote network.
  However, I have been asked to add two secure routers to the setup. One secure router between the local network and the ASA, and the other the same on the other end, between the remote network and it's ASA
  Essentially, just like this:
  LAN---------------------Router-------------------------ASA----------------ISP-----------ASA-------------------------Router---------------------------LAN
  192.168.1.x   (inside 192.168.1.1)        (inside 10.0.1.1)               (inside 10.0.2.1)            (inside 192.168.2.1)          192.168.2.x
                            (outside 10.0.1.2)           (outside public ip)             (outside public ip)          (outside 10.0.2.2)
  I don't understand how this is suppose to work. I can get each side configured so that the clients on the inside can get out to the internet.
  A local client using the inside interface of the router as the gateway, the router then sends by route this traffic to the ASA's inside interface which then forwards the traffic to the default route/gateway of the ASA to the ISP gateway out to the internet.
  However, when I am thinking about the VPN I don't understand how it is suppose to work. Because the LAN address get's translated to the outside address of the Router which is 10.0.0.2, so that it goes to the ASA inside address 10.0.0.1. If I were to ping an ip address of the other LAN, it shows up as coming from 10.0.0.2 which wouldn't be part of the VPN traffic, since the VPN traffic is the local addresses as it was setup with just the two ASA's. I don't see changing the VPN traffic to the 10.0.0.0 network working because the clients on the remote network have 192.168.2.x addresses. While the ASA and router can translate from 192.168.1.x to 10.0.1.2 to the internet and back will work, I don't see requesting a connection to 192.168.2.x from 192.168.1.x working).
  If it matters, one router is a cisco 1841, and the other an hp 7102dl.
  I don't really understand why, but they just want to have the routers used in the setup. Whether it is on the inside or outside of the ASA, it doesn't matter.
  Can someone help me make sense of this please?

  Hi Julio,
  To set it up the way you mention would I keep the ip addresses the same or would I need to change them?
  Also, in response to everyone, would setting it up using gre tunnel allow for some clients to still just go straight out to the internet as well as to the "other side" remote lan?
  I appreciate everyones input very much.
  In response to Jouni, yes there is a big L2 switch behind the ASA's, which under the new setup there would be a router between the L2 switch and the ASA.
  This may be an important part I don't understand, but on the router, unless I nat the inside traffic to have the address of the outside interface on the router, then no traffic goes through. I just get messages from the router saying unable to determine destination route seemingly regardless of what static routes I put on the router, but maybe I am just not configuring the static routes correctly.

• Improve perforamce of SA540 site to site VPN

  Site A SA540 : 50M/50M DSL (Country A) (15 users)
  Site B SA540 : 2M/520KB ADSL (Country B) (10 users)
  MTU: 1464 (Test on ping frame)
  We has custom application server and work on  services port 80, this is old application and need to call up dos prompt java.
  We make server on Site A and alos setup up port forward from WAN to custome application server.
  I find out at Site B direct use http services over the WAN just need around 5-10 seconds to launch the applaciton
  On the same machine, we use site to site VPN to connection the application, that will need around 15 ~ 20 seconds or more, alos sometime can not load success the application through VPN, how can I improve it? Or any suggestion I need to pay attend?
  Thanks        

  Chammy,
  I'll echo Tom's comment.  One thing to keep in consideration is that buidling up the VPN tunnel adds overhead to the traffic flow so a slower response over a VPN compared to open access is to be expected and will be more noticable on slower links.
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• TWO Site to Site VPN connections at the same locations

  Hi:
  We have two locations (Site A & Site B) and currently have a site to site vpn stood up that we allow both data and voice traffic to flow across.  However, we have been having MAJOR issues with our voice quality and no luck with improvement using QoS settings, etc.  Therefore, we would like to stand up another site to site connection to have only voice traffic to flow over and haven't been able to do so because at each side we only have a single block of IP's (/29) and it is my understanding that it isn't possible to have two separate VPN tunnels as I am describing when the subnet is the same, is that correct?
  Moving forward, we are looking into adding a 2nd block of addresses to both sides, however, Comcast Business is telling us that it isn't possible with their service :(.
  Does anyone have other options for me besides moving to a different ISP?
  Thank you,
  Stangride

  This is a standard facet of most VPNs - the problem lies in your NAT router since both clients appear to come from the same IP address as far as the VPN server is concerned, and the router can't separate out the traffic.
  There are a couple of solutions.
  First, the built-in VPN server supports L2TP and PPTP protocols. You should be able to connect one system under each protocol, so that gets your two machines connected.
  Second, you can replace your NAT router with one that supports multiple VPN clients (often termed 'VPN passthrough').
  Third, setup a site-to-site tunnel so that your entire LAN is connected to the VPN (this saves you from having to run a separate VPN client on each machine, but is typically only worth it when you have more machines).

• Site to Site VPN issues between PIX506 and ASA5505

  Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
  Corporate
  PIX Version 6.3(5)
  access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  ip address outside xxx.yyy.170.160 255.255.255.0
  ip address inside 192.168.119.1 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
  crypto map mymap 20 ipsec-isakmp
  crypto map mymap 20 match address outside_cryptomap_20
  crypto map mymap 20 set pfs group2
  crypto map mymap 20 set peer aaa.bbb.175.218
  crypto map mymap 20 set transform-set ESP-3DES-SHA
  crypto map mymap 65535 ipsec-isakmp dynamic dynmap
  crypto map mymap client authentication w2k3
  crypto map mymap interface outside
  isakmp enable outside
  isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 10
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption aes-256
  isakmp policy 30 hash sha
  isakmp policy 30 group 5
  isakmp policy 30 lifetime 86400
  vpngroup vpners address-pool ippool
  vpngroup vpners dns-server 192.168.119.11
  vpngroup vpners default-domain mydomain.local
  vpngroup vpners split-tunnel split_tunnel
  vpngroup vpners idle-time 1800
  vpngroup vpners password ********
  Remote Site
  ASA Version 7.2(2)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.2.1 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address aaa.bbb.175.218 255.255.128.0
  access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer xxx.yyy.170.160
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  tunnel-group xxx.yyy.170.160 type ipsec-l2l
  tunnel-group xxx.yyy.170.160 ipsec-attributes
  pre-shared-key *

  I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

• Can't ping from DC1 behind TMG1 to DC2 behind TMG2 on a site-to-site VPN connection

  Hi,
  I have a weird problem. I have two TMG servers on each site in a hyper-v lab environment. I have been able to establish the site-to-site VPN successfully however when I ping from DC1 behind TMG1(on site 1) to TMG2, DC2, i am able to ping. However the opposite
  doesn't work. After some trial and error, I figured out that the one initiating the demand-dial request is able to ping the other site, not vice-versa..very strange. I would like to know whether ICMP requests could be achieved bi-directionally..
  Secondly, I am able to ping from TMG1 to all the clients sitting behind TMG2 (including the TMG host), however the clients sitting behind TMG1 can't ping TMG2 neither any of the clients behind it. I tried every possible combination under the firewall policies
  but of complete vain. hell, I am starting to develop a very bad feeling about this product because of making such simple tasks overly complex. I mean, if it were a Cisco or Sonicwall, we could have done this so easily. 
  What my final motive is to send LDAP requests from DC1 to DC2 and vice-versa over a site-to-site VPN so that I could set up 2 different sites in AD on different subnets and then proceed with configuring DAG. But if this simple thing turns out to be such
  major roadblock, dunno how am I gonna pass DAG traffic over it.
  Can someone PLEASE help me!! I am completely exhausted researching on this issue.
  Regards,
  Dman

  Hi，
  For site2site VPN, you must create proper network rule and network set and you need to create proper access rule to allow or deny the traffic between VPN network and any other network.
  http://technet.microsoft.com/en-us/library/bb838949.aspx
  Best Regards
  Quan Gu

• ASA 5505 Site to Site VPN issue

  I have been trying to configure a siste to site vpn for a few days now, but not able to get it to connect. The only difference between the two, is one has a dynamic ip. this vpn isn't a priority, so there isn't a need to have the dynamic moved to a static at this time. Here is my configs on both ASA's. any help would be greatly appreciated. I replaced the IP's with x.x.x.x
  ASA 1:
  Result of the command: "SHOW RUN"
  : Saved
  ASA Version 9.0(1)
  hostname ciscoasa
  enable password Yn8Esq3NcXIHL35v encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPNDHCP 10.50.50.1-10.50.50.100 mask 255.0.0.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport trunk allowed vlan 1,3
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  switchport trunk allowed vlan 1,3,13
  interface Ethernet0/4
  switchport access vlan 3
  interface Ethernet0/5
  switchport access vlan 3
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 13
  switchport trunk allowed vlan 1,3
  switchport mode trunk
  interface Vlan1
  nameif Internal
  security-level 100
  ip address 10.0.0.1 255.0.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Vlan3
  no forward interface Vlan1
  nameif Guest
  security-level 50
  ip address 192.168.1.1 255.255.255.0
  interface Vlan23
  nameif EP
  security-level 100
  ip address 192.168.20.254 255.255.255.0
  boot system disk0:/asa901-k8.bin
  boot system disk0:/asa844-1-k8.bin
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network GLE-A-Network
  subnet 10.0.0.0 255.0.0.0
  object network GLE-B-Network
  subnet 192.168.2.0 255.255.255.0
  object network Web-Server
  host 10.0.61.230
  object network obj-Guest
  subnet 192.168.1.0 255.255.255.0
  description Guest Wireless
  object network Spiceworks
  host 10.0.1.2
  object network NETWORK_OBJ_10.50.50.0_25
  subnet 10.50.50.0 255.255.255.128
  object network Remote-Desktop-Services
  host 10.0.1.2
  object network Web-Server-SSL
  host 10.0.23.1
  object service RDP
  service tcp source eq 3389 destination eq 3389
  object network RemoteDesktop
  host 10.0.61.240
  object network obj-PerryCameras-1
  host 10.0.36.1
  object network obj-PerryCameras-2
  host 10.0.36.1
  object network obj-PerryCameras-3
  host 10.0.36.1
  object network DHCP-Server
  host 10.0.1.1
  object network GLE-B-Firewall
  host X.X.X.X
  object network EP-Network
  subnet 192.168.26.0 255.255.255.0
  object network EP-Firewall
  host X.X.X.X
  object network obj-BLDGa
  subnet 192.168.33.0 255.255.255.0
  object network FTP
  host 10.0.61.230
  object-group service SpiceworksPorts tcp
  description https
  port-object eq https
  object-group service RemoteDesktopServices
  service-object tcp-udp destination eq 3389
  object-group service RDS tcp
  description Remote Desktop Services
  port-object eq 3389
  port-object eq https
  object-group service Phone1 tcp
  port-object eq 5522
  object-group service Phone udp
  port-object range 10001 20000
  port-object eq 5522
  object-group service Phones tcp-udp
  port-object range 10001 20000
  port-object eq 5222
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service PerryCameras tcp-udp
  port-object eq 180
  port-object eq 181
  port-object eq 9000
  object-group service Camera1 tcp-udp
  port-object eq 9000
  object-group service Camera2 tcp-udp
  port-object eq 881
  object-group service Camera3 tcp-udp
  port-object eq 1801
  access-list outside_cryptomap extended permit ip object GLE-A-Network object GLE-B-Network
  access-list outside_access_in extended permit tcp any4 object Web-Server eq www
  access-list outside_access_in extended permit tcp any object Web-Server-SSL eq https
  access-list outside_access_in extended permit tcp any object RemoteDesktop eq 3389
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-1 object-group Camera1
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-2 object-group Camera2
  access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-3 object-group Camera3
  access-list outside_access_in extended permit tcp any4 object FTP eq ftp
  access-list guest_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list guest_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list guest_in extended deny udp any4 any4 eq domain
  access-list guest_in extended permit ip any4 any4
  access-list EP_access_in extended permit object-group TCPUDP any4 any4 eq domain
  access-list EP_access_in extended permit ip any4 any4
  access-list outside_cryptomap_1 extended permit ip object GLE-A-Network object EP-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu Internal 1500
  mtu outside 1500
  mtu Guest 1500
  mtu EP 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-702.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (Internal,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup
  nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static GLE-B-Network GLE-B-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
  nat (EP,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
  object network obj_any
  nat (Internal,outside) dynamic interface
  object network Web-Server
  nat (Internal,outside) static interface service tcp www www
  object network obj-Guest
  nat (Guest,outside) dynamic interface
  object network Spiceworks
  nat (Internal,outside) static interface service tcp 8080 8080
  object network Web-Server-SSL
  nat (Internal,outside) static interface service tcp https https
  object network RemoteDesktop
  nat (Internal,outside) static interface service tcp 3389 3389
  object network obj-PerryCameras-1
  nat (Internal,outside) static interface service tcp 9000 9000
  object network obj-PerryCameras-2
  nat (any,outside) static interface service tcp 881 881
  object network obj-PerryCameras-3
  nat (Internal,outside) static interface service tcp 1801 1801
  object network FTP
  nat (Internal,outside) static interface service tcp ftp ftp
  access-group outside_access_in in interface outside
  access-group guest_in in interface Guest
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 1:00:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server PolicyServer protocol radius
  aaa-server PolicyServer (Internal) host 10.0.1.1
  timeout 5
  key *****
  user-identity default-domain LOCAL
  aaa authentication enable console LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 10.0.0.0 255.0.0.0 Internal
  http authentication-certificate Internal
  snmp-server host Internal 10.200.200.11 community *****
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 2 match address outside_cryptomap_1
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer X.X.X.X
  crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  crl configure
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable Internal
  crypto ikev2 enable outside
  crypto ikev1 enable Internal
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.1.5-192.168.1.229 Guest
  dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
  dhcprelay server 10.0.1.1 Internal
  dhcprelay enable Guest
  dhcprelay setroute Guest
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  dynamic-filter enable interface Internal
  dynamic-filter enable interface outside
  dynamic-filter enable interface Guest
  dynamic-filter drop blacklist
  ntp server 10.0.1.1 source Internal prefer
  webvpn
  anyconnect-essentials
  group-policy GroupPolicy_X.X.X.X internal
  group-policy GroupPolicy_X.X.X.X attributes
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
  group-policy GroupPolicy_X.X.X.X internal
  group-policy GroupPolicy_X.X.X.X attributes
  vpn-tunnel-protocol ikev1 ikev2
  group-policy VPNUSER internal
  group-policy VPNUSER attributes
  dns-server value 10.0.1.1 192.168.2.230
  vpn-tunnel-protocol ikev1
  username admin password kSXIy6qd1ZTBFL9/ encrypted
  username danpoynter password XEQ0M75K1B1E6VtM encrypted privilege 0
  username danpoynter attributes
  vpn-group-policy VPNUSER
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X general-attributes
  default-group-policy GroupPolicy_X.X.X.X
  tunnel-group X.X.X.X ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X general-attributes
  default-group-policy GroupPolicy_X.X.X.X
  tunnel-group X.X.X.X ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  hpm topN enable
  Cryptochecksum:b29f5ff3b9db58467b0eb509bc068c2f
  : end
  ASA 2:
  Result of the command: "SHOW RUN"
  : Saved
  ASA Version 9.0(1)
  hostname ciscoasa
  enable password TYEBBb7SkpIC3BiW encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool remotevpnusers 192.168.12.25-192.168.12.55 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 4
  interface Ethernet0/2
  switchport access vlan 3
  switchport trunk allowed vlan 3-4
  interface Ethernet0/3
  switchport access vlan 20
  interface Ethernet0/4
  switchport access vlan 21
  interface Ethernet0/5
  switchport access vlan 22
  interface Ethernet0/6
  switchport access vlan 4
  switchport trunk allowed vlan 3-4,20-22
  switchport mode trunk
  interface Ethernet0/7
  interface Vlan1
  nameif Management
  security-level 100
  ip address 192.168.31.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.240
  interface Vlan3
  description EP Guest Network
  no forward interface Vlan4
  nameif Guest
  security-level 50
  ip address 192.168.27.1 255.255.255.0
  interface Vlan4
  nameif Internal
  security-level 100
  ip address 192.168.26.254 255.255.255.0
  interface Vlan20
  description BLDG-A Subnet
  nameif BLDG-A
  security-level 100
  ip address 192.168.20.254 255.255.255.0
  interface Vlan21
  nameif BLDG-B
  security-level 100
  ip address 192.168.21.254 255.255.255.0
  interface Vlan22
  nameif BLDG-C
  security-level 100
  ip address 192.168.22.254 255.255.255.0
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_192.168.12.0_26
  subnet 192.168.12.0 255.255.255.192
  object network NETWORK_OBJ_192.168.26.0_24
  subnet 192.168.26.0 255.255.255.0
  object network obj-KeoweeCameras
  host 192.168.26.10
  description Keowee Street Cameras
  object network Inside
  subnet 192.168.26.0 255.255.255.0
  description Inside Network Route
  object network Guest
  subnet 192.168.27.0 255.255.255.0
  description Guest Network Route
  object network Internal
  subnet 192.168.26.0 255.255.255.0
  object network obj-HunterCameras
  host 192.168.21.20
  description Hunter Cameras
  object network obj-Spiceworks
  host 192.168.26.8
  object network Electro-Polish-Network
  subnet 192.168.26.0 255.255.255.0
  object network GLE-Firewall
  host x.x.x.x
  object network GLE-Network
  subnet 10.0.0.0 255.0.0.0
  object network BLDG-A
  subnet 192.168.20.0 255.255.255.0
  object network BLDG-B
  subnet 192.168.21.0 255.255.255.0
  object network BLDG-C
  subnet 192.168.22.0 255.255.255.0
  object network DCG-Server01
  host 192.168.26.9
  object network NETWORK_OBJ_192.168.21.0_24
  subnet 192.168.21.0 255.255.255.0
  object network VPN-POOL
  subnet 192.168.12.0 255.255.255.0
  object network EP-VPN-Network
  subnet 192.168.26.0 255.255.255.0
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service CameraSystem tcp-udp
  port-object eq 18004
  port-object eq 26635
  port-object eq 76
  access-list electroremote_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
  access-list electroremote_splitTunnelAcl standard permit 192.168.22.0 255.255.255.0
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-KeoweeCameras object-group CameraSystem
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-HunterCameras object-group CameraSystem
  access-list outside_access_in extended permit tcp any4 object obj-Spiceworks eq https
  access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq https
  access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq www
  access-list Guest_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list Guest_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list Guest_access_in extended deny udp any4 any4 eq domain
  access-list Guest_access_in extended permit ip any4 any4
  access-list inside_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list inside_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list inside_access_in extended deny udp any4 any4 eq domain
  access-list inside_access_in extended permit ip any4 any4
  access-list Internal_access_in extended permit udp any4 host 208.67.222.222 eq domain
  access-list Internal_access_in extended permit udp any4 host 208.67.220.220 eq domain
  access-list Internal_access_in extended deny udp any4 any4 eq domain
  access-list Internal_access_in extended permit ip any any4
  access-list ip-qos extended permit ip 192.168.27.0 255.255.255.0 any
  access-list ip-qos extended permit ip any 192.168.27.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.20.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.21.0 255.255.255.0
  access-list electroremote_splittunnelacl standard permit 192.168.22.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.26.0 255.255.255.0 object GLE-Network
  pager lines 24
  logging enable
  logging asdm informational
  mtu Management 1500
  mtu outside 1500
  mtu Guest 1500
  mtu Internal 1500
  mtu BLDG-A 1500
  mtu BLDG-B 1500
  mtu BLDG-C 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-702.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (BLDG-A,outside) source static BLDG-A BLDG-A destination static VPN-POOL VPN-POOL
  nat (BLDG-B,outside) source static BLDG-B BLDG-B destination static VPN-POOL VPN-POOL
  nat (BLDG-C,outside) source static BLDG-C BLDG-C destination static VPN-POOL VPN-POOL
  nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (Internal,outside) source static Electro-Polish-Network Electro-Polish-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (outside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
  nat (Internal,outside) source static EP-VPN-Network EP-VPN-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static GLE-Network GLE-Network no-proxy-arp route-lookup
  object network obj_any
  nat (Internal,outside) dynamic interface
  object network obj-KeoweeCameras
  nat (Internal,outside) static x.x.x.x
  object network Inside
  nat (Internal,outside) dynamic interface
  object network Guest
  nat (Guest,outside) dynamic x.x.x.x
  object network Internal
  nat (Internal,outside) dynamic interface
  object network obj-HunterCameras
  nat (BLDG-B,outside) static x.x.x.x
  object network obj-Spiceworks
  nat (Internal,outside) static x.x.x.x service tcp https https
  object network BLDG-A
  nat (BLDG-A,outside) dynamic interface
  object network BLDG-B
  nat (BLDG-B,outside) dynamic interface
  object network BLDG-C
  nat (BLDG-C,outside) dynamic interface
  object network DCG-Server01
  nat (any,any) static x.x.x.x
  access-group inside_access_in in interface Management
  access-group outside_access_in in interface outside
  access-group Guest_access_in in interface Guest
  access-group Internal_access_in in interface Internal
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server IAS protocol radius
  aaa-server IAS (Internal) host 192.168.26.1
  timeout 5
  key *****
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  http server enable
  http 192.168.31.0 255.255.255.0 Management
  http 192.168.26.0 255.255.255.0 Internal
  http x.x.x.x 255.255.255.255 outside
  http authentication-certificate Management
  snmp-server host Internal 192.168.26.8 community ***** version 2c
  snmp-server location Building A
  snmp-server contact Dan Poynter
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer x.x.x.x
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map BLDG-B_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map BLDG-B_map interface BLDG-B
  crypto map BLDG-A_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map BLDG-A_map interface BLDG-A
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev2 enable Internal
  crypto ikev1 enable outside
  crypto ikev1 enable Internal
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.26.0 255.255.255.0 Internal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  management-access Internal
  dhcpd auto_config outside
  dhcpd address 192.168.27.50-192.168.27.100 Guest
  dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
  dhcprelay server 192.168.26.1 Internal
  dhcprelay server 192.168.26.2 Internal
  dhcprelay enable Guest
  dhcprelay enable BLDG-A
  dhcprelay enable BLDG-B
  dhcprelay enable BLDG-C
  dhcprelay setroute Guest
  dhcprelay setroute BLDG-A
  dhcprelay setroute BLDG-B
  dhcprelay setroute BLDG-C
  dhcprelay timeout 60
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_x.x.x.x internal
  group-policy GroupPolicy_x.x.x.x attributes
  vpn-tunnel-protocol ikev1 ikev2
  group-policy electroremote internal
  group-policy electroremote attributes
  dns-server value 192.168.26.1
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value electroremote_splitTunnelAcl
  default-domain value electropolish.local
  username epadmin password Iu2OqCfOGoYIZ5iC encrypted privilege 15
  username epadmin attributes
  service-type nas-prompt
  tunnel-group electroremote type remote-access
  tunnel-group electroremote general-attributes
  address-pool remotevpnusers
  authentication-server-group IAS
  default-group-policy electroremote
  tunnel-group electroremote ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x general-attributes
  default-group-policy GroupPolicy_x.x.x.x
  tunnel-group x.x.x.x ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map icmp-class
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  class-map qos
  description qos policy
  match access-list ip-qos
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map icmp_policy
  class icmp-class
  inspect icmp
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  policy-map qos
  class qos
  police output 1048500 1048576
  police input 256000 256000
  service-policy global_policy global
  service-policy icmp_policy interface outside
  service-policy qos interface Guest
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3f2034bf1ad61529c601c097d6f60bad
  : end

  Hi,
  Are you saying that all traffic is working from central site to remote site when remote sites devices are in the "inside" Vlan? All but the phones even if they are in the "inside" Vlan?
  Are you sure you have the NAT configurations correctly on the remote site for the other LAN interface?
  Are you seing any connections from the phones when they are in the original "inside" interface of the remote ASA? Dont they usually get the Call Manager IPs from the DHCP server and then connect with TFTP to the Call Manager after which they form a TCP/2000 port connection to the Call Manager? I'm not really familiar with Cisco Phones other than what I see on the firewalls from time to time.
  Are you sure you remote ASA and Switch are configure correctly when you add the second Vlan to the switch? Can you see the phones on the remote ASA with "show arp" command when they are powered on?
  There should not be identical security-levels on the interfaces of the remote ASA unless the phones need to connect to the other local "inside" network. Then it would be logical for the interfaces both to be security-level 100. Interface "outside" is usually set to 0.
  Guess we would need to see the configurations for the ASAs to confirm that everything is in order.
  - Jouni

• Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

  OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
  What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
  Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
  When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
  Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
  The ASA is connected to a checkpoint sub interface
  Any help would be beneficial as im new to cisco ASAs 
  Thanks
  Mark

  Mark
  If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
  HTH
  Rick

• Easy vpn or site-to-site vpn for back up connection?

  Hi,
  All of my remote sites are connected to HQ via MPLS circuits. I would like to create back link for those remote sites using 871 routers with DSL connection and terminate ipsec vpn tunnels at the outside interface of ASA5540 located at HQ.
  The 871 routers will be configured HSRP standby mode. It becomes active and forward traffic when the main router of the remote site losses connection to HQ.
  Questions:
  1. Has anyone had similar requirements and use easy vpn as a solution? will site-to-site work better for this scenario?
  2. How to make ASA5540 handle the routes properly when it sees the same subnets located on both Inside interface and the other end of the tunnel which is terminated at the outside interface?
  Static routes are configured on the ASA.
  3. I also try to avoid user entering username and password for interactive authentication in easy vpn.
  Thanks so much in advance.
  PH

  yes you can site-to-site VPN as a backup.
  If the interface going to the backup connection is an interface different than the outside interface, and if the regular connection going down means that the outside interface will go down, then you only need an additional default route, but with a higher metric than your regular route.
  But if both connections go out the same interface, or if the outside interface will not go down when the primary Internet connection goes down, then you'll need to take a different approach. ASA 7.2 code introduced a feature called "Standby ISP Support", which allows the firewall to keep an active track on an Internet connection, and if that connection
  fails, switch to a different connection.
  Try this link:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806403ec.html#wp1090243

• 2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover

  Hello,
  My senario is as described in Title.
  Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
  Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
  All ADSL connections have static IPs and belong to same ISP.
  Need - Site to Site VPN between the routers.
  Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
  Any help will be appreciated.

  I don't believe you will find a One solution for this. 
  An idea would be to have all three ADSLs paired with ADSL on the other side. 
  Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric. 
  This will cause IOS to load balance natively. 
  Potential problem: return path might not be the same as forward path, but it should not matter much for most applications. 
  Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible. 
  Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. 

• From Azure unable to connect internal LAN network with windows RRAS site to site VPN

  Hi All,
  Below is my scenario.
  Our side.
  We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
  on RRAS server we have two interfaces
  eth0- 10.1.1.1
  eth1- 10.1.1.2
  We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
  On Azure,
  We created a gateway, and two VMs.
  VM1 = 11.11.11.1
  VM2 = 11.11.11.2
  Both VMs can ping each other.
  VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
  We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1   ,    eth1- 10.1.1.2]
  But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
  So we can reach Azure VM from our RRAS and
  we can reach RRAS server from Azure VM.
  But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
  Please help?

  I will give you some pointers to check.
  The reason for this could be one of the two
  - local site in azure virtual network is not configured correctly
  - route for the azure subnet is not setup correctly on rras server
  Can you please validate the above?
  Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
  Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
  What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
  Is NAT allowing all traffic in or is it restricted to certain points.
  This posting is provided "AS IS" with no warranties, and confers no rights