Site-to-site vpn with 2 asa and home router

Similar Messages

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Site to Site VPN with 2 ASA 5510's

  Hello guys,
  Im hoping yall can help me with the following objective. I have been tasked to make a site to site VPN between two networks. We are both using an ASA 5510.
  This is the scenario:
  SiteA has an wan adress of (example) 20.20.20.20  - The firewall is connected to a DMZ range : 192.168.0.0 255.255.255.0. In this range there is another firewall which grants/blocks acces to the internal range. 10.20.0.0 255.255.0.0
  SiteB has an wan adress of (example) 21.21.21.21 - The internal range is 10.0.0.0 255.0.0.0 No DMZ.
  How can i connect these 2 devices since there is an overlap. I am gonna need to use nat right? Can someone give me readable  Access rule/Nat Rule and maybe advice / some other things i need to think of.
  Hope to hear from yall. Any advice is highly appriciated.
  Thanks in advance

  Hi,
  Well regarding the remote site I suppose if they are using hosts from ranges 10.0.1.0/24 and 10.0.2.0/24 they could simply NAT these portions of the network towards the L2L VPN connection. For example NAT them to subnets 192.168.101.0/24 and 192.168.102.0/24
  But you also seem to have a large subnet on your side since its 10.20.0.0/16. Because of this I would suggest narrowing it down to the hosts or smaller subnets like above with the remote site because simply NATing the whole subnet 10.20.0.0/16 to some other private range that is NOT from the 10.0.0.0/8 range would probably cause problems in the long run.
  Lets presume that on your side the network that needs to access the L2L VPN is 10.20.1.0/24 and we would NAT that to 192.168.201.0/24 then your NAT configuration could look like this
  object network DMZ-INTERNAL
    subnet 10.20.1.0 255.255.255.0
  object network DMZ-INTERNAL-NAT
   subnet 192.168.201.0 255.255.255.0
  object-group network REMOTE-NETWORKS
   network-object 192.168.101.0 255.255.255.0
   network-object 192.168.102.0 255.255.255.0
  nat (dmz,outside) 1 source static DMZ-INTERNAL DMZ-INTERNAL-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS
  In the above configuration we first create an "object" for both the actual internal DMZ subnet and the subnet that we will NAT it to. Then we create an "object-group" that will have inside it both of the remote NATed networks (NAT performed at the remote site).
  Finally the "nat" command itself will perform NAT between "dmz" and "outside" interface and it will NAT "DMZ-INTERNAL" to "DMZ-INTERNAL-NAT" when the destination is "REMOTE-NETWORKS". The NAT configuration is bidirectional so it naturally handles which ever directin the connection is attempted. The names of the objects are up to the user.
  The ACL that defines the local and remote networks for the L2L VPN should use the NAT subnets of each site.
  If you want to restrict the traffic from the remote site then this can be done in a couple of ways. At its default settings the ASA will allow ALL traffic from the remote site behind the L2L VPN connection.
  You can use the command "show run all sysopt" to list some configurations that will tell us how your ASA has been set to handle VPN related traffic. The command we are looking for is "sysopt connection permit-vpn". This is the default setting that allows all traffic from VPN connections. If you were to change this to "no sysopt connection permit-vpn" then you could simply use the interface ACL of the interface that terminates the L2L VPN connection on your side to select what traffic is allowed. You would allow traffic the same way as if you were allowing traffic from Internet to your servers.
  The problem with this setup is if you have other existing VPN connections (VPN Client and L2L VPN) because they would also require their traffic to be allowed in your external interfaces ACL if you changed the above mentioned global setting.
  The other option is to configure a VPN Filter ACL that you will then attach to a "group-policy". You will then attach that "group-policy" to the "tunnel-group" of the L2L VPN connection.
  The actual ACL used for the VPN Filter purpose is a norma ACL but you will always have to configure the remote network as the source in the ACL and this usually causes some confusion.
  - Jouni

• Site to Site VPN with an Asa 5510 & 5505

  Hey all,
  Im hoping anyone can help me because i cant seem to figure it out. I managed to create an site to site vpn between location a an b.
  I will be using fictional wan adresses.
  SiteA 20.20.20.20
  SiteB 21.21.21.21
  Site B is a very simple netwerk. We have a Asa 5505 and directly plugged into this ASA is my computer. I get an DHCP adress from the asa etc. I use the range 192.168.1.0 /24 for this.
  Site A is a little bit more complex. I have ASA 5510 with 2 configured interfaces. Outside (Called WAN) and Inside (called DMZ)
  The DMZ uses the range 192.168.200.0 /24
  Inside the DMZ i have another firewall (UTM appliance) configured at(this is a fictional ip adress) 192.168.200.1
  This firewall serves as gateway for the lan and also has 2 interfaces. One on the LAN side and one on the DMZ side. (DMZ 192.168.200.1 - LAN 10.1.1.254) The ASA has a static route configured towards the LAN.
  How can i create a site to site from Site A's LAN to SiteBs. I have managed to create a Site to Site to A's DMZ. This works. I can RDP and PING adresses in the DMZ but whenever i try to reach the lan i get no reply. My first suspicion was that the UTM would block it but i cant find anything in its log files.
  Would love some input. (i created the site to site using the GUI)

  Hi,
  I think you should be able to do it. You just need to allow the required ports for LAN to LAN VPN like UDP 500 , ESP , 4500 etc.
  Use NAT exempt on the UTM and add the Subnet to the Crypto ACL on the ASA device on both the Sides.
  This should be able to do it.
  Thanks and Regards,
  Vibhor Amrodia

• Site-to-site VPN with dual ASA 5510s

  Hi,
  I have recently been asked to configure a VPN between two sites using an ASA 5510 at each end. I used the VPN Site-to-site wizard in ASDM on both devices and followed the instructions for the wizard to the letter. However I don't seem able to get any kind of VPN up and running. If anyone could point out where I'm going wrong then I would very much appreciate it.

  Here is the sanitised running config of SiteA:
  ASA Version 8.0(2)
  hostname MCRASA
  domain-name isal.local
  enable password xxx
  names
  interface Ethernet0/0
  description External WAN
  nameif outside
  security-level 0
  ip address 81.*.*.82 255.255.255.240
  interface Ethernet0/1
  description Internal LAN
  nameif inside
  security-level 100
  ip address 192.168.254.2 255.255.255.0
  interface Ethernet0/2
  description Demarcation zone
  nameif dmz
  security-level 50
  ip address 10.30.30.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  description MCRASA management
  nameif management
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  management-only
  passwd xxx
  ftp mode passive
  dns server-group DefaultDNS
  domain-name isal.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
  access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  mtu management 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-602.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 81.*.*.82 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.254.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 82.*.*.50
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp enable inside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.254.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access management
  dhcpd address 192.168.2.2-192.168.2.5 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  webvpn
  csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
  username fraser password xxx encrypted privilege 15
  username fraser attributes
  memberof LOCAL
  tunnel-group 82.*.*.50 type ipsec-l2l
  tunnel-group 82.*.*.50 ipsec-attributes
  pre-shared-key *
  prompt hostname context
  Cryptochecksum:xxx

• Site to Site VPN with Overlapping network and other network Access..

  Hi all,
  i need to setup a site to site Tunnel to a remote site. My remote site got the network which has overlapped with one of our network(192.168.10.0/24) in my site. remote site dont need to access this network(192.168.10.0/24) in my site ,but they have to access other networks (192.168.x.0)
  i have prepared the below configuration ,relevant to nat to achiev the goal. Appreciate help to verify and help to achive this...
  i have attached one rough diagram also..
  Mysite
  access-list acl-httsamorocco extended permit ip 192.168.73.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list nonat extended permit ip 192.168.x.0 255.255.255.0 192.168.74.0 255.255.255.0
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.74.0 255.255.255.0
  static (inside,outside) 192.168.73.0  access-list policy-nat
  Remote Site
  access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
  static (inside,outside) 192.168.74.0  access-list policy-nat
  Thanks in Advance..
  Shanil

  It has to be configured on both sides.
  X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
  On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Site to Site VPN with rsa-sig

  Hello
  I can't understand why do I have to attach the trustpoint to the crypto map - like this
  ASA(config)# crypto map <MAP> <10> set trustpoint <CA>
  I mean on IOS it works fine without this configuration - so if this is a security issue, then we should NOT use the rsa signature authentication on IOS. If it secure without this command, then why it is here and why do i have to use it (without it I was not able to establish IPsec tunnel between 2 ASAs).
  So what this command does und why do we need it only on ASA?
  Thanks

  Dmytro,
  To begin with, the ASA and the Router are two different devices, so you cannot expect the same behavior from both.
  On the other hand, please check this out:
  crypto map set trustpoint
  To specify the trustpoint that identifies the certificate to send for authentication during Phase 1 negotiations for the crypto map entry, use the crypto map set trustpoint command in global configuration mode.
  This crypto map command is valid only for initiating a connection..
  So it has be in your configuration
  HTH.
  Portu.

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• %ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510

  Hi Friends,
  I'm trying to built client to site VPN in CISCO ASA 5510 8.4(4) and getting below error while connecting cisco VPN client software. Also, I'm getting below log in ASA. Please help me to reslove.
  Error in CISCO VPN Client Software:
  Secure VPN Connection Terminated locally by the client.
  Reason : 414 : Failed to establish a TCP connection.
  Error in CISCO ASA 5510
  %ASA-7-710005: TCP request discarded from <Public IP> /49276 to outside:<Outside Interface IP of my ASA> /10000
  ASA Configuration:
  XYZ# sh run
  : Saved
  ASA Version 8.4(4)
  hostname XYZ
  domain-name XYZ
  enable password 3uLkVc9JwRA1/OXb level 3 encrypted
  enable password R/x90UjisGVJVlh2 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif outside_rim
  security-level 0
  ip address 1.1.1.1 255.255.255.252
  interface Ethernet0/1
  duplex full
  nameif XYZ_DMZ
  security-level 50
  ip address 172.1.1.1 255.255.255.248
  interface Ethernet0/2
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address 2.2.2.2 255.255.255.252
  interface Ethernet0/3
  speed 100
  duplex full
  nameif inside
  security-level 100
  ip address 3.3.3.3 255.255.255.224
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  boot system disk0:/asa844-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server xx.xx.xx.xx
  name-server xx.xx.xx.xx
  name-server xx.xx.xx.xx
  name-server xx.xx.xx.xx
  domain-name XYZ
  object network obj-172.17.10.3
  host 172.17.10.3
  object network obj-10.1.134.0
  subnet 10.1.134.0 255.255.255.0
  object network obj-208.75.237.0
  subnet 208.75.237.0 255.255.255.0
  object network obj-10.7.0.0
  subnet 10.7.0.0 255.255.0.0
  object network obj-172.17.2.0
  subnet 172.17.2.0 255.255.255.0
  object network obj-172.17.3.0
  subnet 172.17.3.0 255.255.255.0
  object network obj-172.19.2.0
  subnet 172.19.2.0 255.255.255.0
  object network obj-172.19.3.0
  subnet 172.19.3.0 255.255.255.0
  object network obj-172.19.7.0
  subnet 172.19.7.0 255.255.255.0
  object network obj-10.1.0.0
  subnet 10.1.0.0 255.255.0.0
  object network obj-10.2.0.0
  subnet 10.2.0.0 255.255.0.0
  object network obj-10.3.0.0
  subnet 10.3.0.0 255.255.0.0
  object network obj-10.4.0.0
  subnet 10.4.0.0 255.255.0.0
  object network obj-10.6.0.0
  subnet 10.6.0.0 255.255.0.0
  object network obj-10.9.0.0
  subnet 10.9.0.0 255.255.0.0
  object network obj-10.11.0.0
  subnet 10.11.0.0 255.255.0.0
  object network obj-10.12.0.0
  subnet 10.12.0.0 255.255.0.0
  object network obj-172.19.1.0
  subnet 172.19.1.0 255.255.255.0
  object network obj-172.21.2.0
  subnet 172.21.2.0 255.255.255.0
  object network obj-172.16.2.0
  subnet 172.16.2.0 255.255.255.0
  object network obj-10.19.130.201
  host 10.19.130.201
  object network obj-172.30.2.0
  subnet 172.30.2.0 255.255.255.0
  object network obj-172.30.3.0
  subnet 172.30.3.0 255.255.255.0
  object network obj-172.30.7.0
  subnet 172.30.7.0 255.255.255.0
  object network obj-10.10.1.0
  subnet 10.10.1.0 255.255.255.0
  object network obj-10.19.130.0
  subnet 10.19.130.0 255.255.255.0
  object network obj-XXXXXXXX
  host XXXXXXXX
  object network obj-145.248.194.0
  subnet 145.248.194.0 255.255.255.0
  object network obj-10.1.134.100
  host 10.1.134.100
  object network obj-10.9.124.100
  host 10.9.124.100
  object network obj-10.1.134.101
  host 10.1.134.101
  object network obj-10.9.124.101
  host 10.9.124.101
  object network obj-10.1.134.102
  host 10.1.134.102
  object network obj-10.9.124.102
  host 10.9.124.102
  object network obj-115.111.99.133
  host 115.111.99.133
  object network obj-10.8.108.0
  subnet 10.8.108.0 255.255.255.0
  object network obj-115.111.99.129
  host 115.111.99.129
  object network obj-195.254.159.133
  host 195.254.159.133
  object network obj-195.254.158.136
  host 195.254.158.136
  object network obj-209.164.192.0
  subnet 209.164.192.0 255.255.224.0
  object network obj-209.164.208.19
  host 209.164.208.19
  object network obj-209.164.192.126
  host 209.164.192.126
  object network obj-10.8.100.128
  subnet 10.8.100.128 255.255.255.128
  object network obj-115.111.99.130
  host 115.111.99.130
  object network obj-10.10.0.0
  subnet 10.10.0.0 255.255.0.0
  object network obj-115.111.99.132
  host 115.111.99.132
  object network obj-10.10.1.45
  host 10.10.1.45
  object network obj-10.99.132.0
  subnet 10.99.132.0 255.255.255.0
  object-group network Serversubnet
  network-object 10.10.1.0 255.255.255.0
  network-object 10.10.5.0 255.255.255.192
  object-group network XYZ_destinations
  network-object 10.1.0.0 255.255.0.0
  network-object 10.2.0.0 255.255.0.0
  network-object 10.3.0.0 255.255.0.0
  network-object 10.4.0.0 255.255.0.0
  network-object 10.6.0.0 255.255.0.0
  network-object 10.7.0.0 255.255.0.0
  network-object 10.11.0.0 255.255.0.0
  network-object 10.12.0.0 255.255.0.0
  network-object 172.19.1.0 255.255.255.0
  network-object 172.19.2.0 255.255.255.0
  network-object 172.19.3.0 255.255.255.0
  network-object 172.19.7.0 255.255.255.0
  network-object 172.17.2.0 255.255.255.0
  network-object 172.17.3.0 255.255.255.0
  network-object 172.16.2.0 255.255.255.0
  network-object 172.16.3.0 255.255.255.0
  network-object host 10.50.2.206
  object-group network XYZ_us_admin
  network-object 10.3.1.245 255.255.255.255
  network-object 10.5.33.7 255.255.255.255
  network-object 10.211.5.7 255.255.255.255
  network-object 10.3.33.7 255.255.255.255
  network-object 10.211.3.7 255.255.255.255
  object-group network XYZ_blr_networkdevices
  network-object 10.200.10.0 255.255.255.0
  access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
  access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.21
  access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host 172.16.2.22
  access-list XYZ extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
  access-list XYZ_PAT extended permit ip 10.19.130.0 255.255.255.0 any
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.159.133
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 195.254.158.136
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 any
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 209.164.192.0 255.255.224.0
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.208.19
  access-list XYZ_PAT extended permit ip 10.1.134.0 255.255.255.0 host 209.164.192.126
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
  access-list nonat extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list nonat extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
  access-list nonat extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
  access-list nonat extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
  access-list nonat extended permit ip object-group Serversubnet object-group XYZ_destinations
  access-list nonat extended permit ip 10.10.1.0 255.255.255.0 10.2.0.0 255.255.0.0
  access-list nonat extended permit ip 10.19.130.0 255.255.255.0 host XXXXXXXX
  access-list nonat extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
  access-list Guest_PAT extended permit ip 10.8.108.0 255.255.255.0 any
  access-list Cacib extended permit ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
  access-list Cacib_PAT extended permit ip 10.8.100.128 255.255.255.128 any
  access-list New_Edge extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.7.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 172.17.2.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.17.3.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.19.2.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.19.3.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.19.7.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.2.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.4.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.6.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.9.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.12.0.0 255.255.0.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.19.1.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.21.2.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.2.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.17.3.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.2.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.3.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.7.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.1.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.2.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.3.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.4.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.6.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.9.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.11.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 10.12.0.0 255.255.0.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.19.1.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.21.2.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.16.2.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list XYZ_global extended permit ip 10.1.134.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.30.2.0 255.255.255.0 host 10.19.130.201
  access-list XYZ_global extended permit ip host 10.19.130.201 172.30.2.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.30.3.0 255.255.255.0 host 10.19.130.201
  access-list XYZ_global extended permit ip host 10.19.130.201 172.30.3.0 255.255.255.0
  access-list XYZ_global extended permit ip 172.30.7.0 255.255.255.0 host 10.19.130.201
  access-list XYZ_global extended permit ip host 10.19.130.201 172.30.7.0 255.255.255.0
  access-list XYZ_global extended permit ip object-group Serversubnet object-group XYZ_destinations
  access-list XYZ_global extended permit ip object-group XYZ_destinations object-group Serversubnet
  access-list ML_VPN extended permit ip host 115.111.99.129 209.164.192.0 255.255.224.0
  access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.208.19
  access-list ML_VPN extended permit ip host 115.111.99.129 host 209.164.192.126
  access-list Da_VPN extended permit ip host 10.9.124.100 host 10.125.81.88
  access-list Da_VPN extended permit ip host 10.9.124.101 host 10.125.81.88
  access-list Da_VPN extended permit ip host 10.9.124.102 host 10.125.81.88
  access-list Da_VPN extended permit ip host 10.9.124.100 10.125.81.0 255.255.255.0
  access-list Da_VPN extended permit ip host 10.9.124.101 10.125.81.0 255.255.255.0
  access-list Da_VPN extended permit ip host 10.9.124.102 10.125.81.0 255.255.255.0
  access-list Sr_PAT extended permit ip 10.10.0.0 255.255.0.0 any
  access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.80.64 255.255.255.192
  access-list Da_Pd_VPN extended permit ip host 10.9.124.100 10.125.64.0 255.255.240.0
  access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.85.46
  access-list Da_Pd_VPN extended permit ip host 10.9.124.100 host 10.125.86.46
  access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.80.64 255.255.255.192
  access-list Da_Pd_VPN extended permit ip host 10.9.124.101 10.125.64.0 255.255.240.0
  access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.85.46
  access-list Da_Pd_VPN extended permit ip host 10.9.124.101 host 10.125.86.46
  access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.80.64 255.255.255.192
  access-list Da_Pd_VPN extended permit ip host 10.9.124.102 10.125.64.0 255.255.240.0
  access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.85.46
  access-list Da_Pd_VPN extended permit ip host 10.9.124.102 host 10.125.86.46
  access-list XYZ_reliance extended permit ip 10.19.130.0 255.255.255.0 145.248.194.0 255.255.255.0
  access-list coextended permit ip host 2.2.2.2 host XXXXXXXX
  access-list coextended permit ip host XXXXXXXXhost 2.2.2.2
  access-list ci extended permit ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
  access-list ci extended permit ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
  access-list acl-outside extended permit ip host 57.66.81.159 host 172.17.10.3
  access-list acl-outside extended permit ip host 80.169.223.179 host 172.17.10.3
  access-list acl-outside extended permit ip any host 172.17.10.3
  access-list acl-outside extended permit tcp any host 10.10.1.45 eq https
  access-list acl-outside extended permit tcp any any eq 10000
  access-list acl-outside extended deny ip any any log
  pager lines 10
  logging enable
  logging buffered debugging
  mtu outside_rim 1500
  mtu XYZ_DMZ 1500
  mtu outside 1500
  mtu inside 1500
  ip local pool XYZ_c2s_vpn_pool 172.30.10.51-172.30.10.254
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-208.75.237.0 obj-208.75.237.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.7.0.0 obj-10.7.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.2.0 obj-172.17.2.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.17.3.0 obj-172.17.3.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.2.0 obj-172.19.2.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.3.0 obj-172.19.3.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.7.0 obj-172.19.7.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.3.0.0 obj-10.3.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.4.0.0 obj-10.4.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.6.0.0 obj-10.6.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.9.0.0 obj-10.9.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.11.0.0 obj-10.11.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-10.12.0.0 obj-10.12.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.19.1.0 obj-172.19.1.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.21.2.0 obj-172.21.2.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.1.134.0 obj-10.1.134.0 destination static obj-172.16.2.0 obj-172.16.2.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.2.0 obj-172.30.2.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.3.0 obj-172.30.3.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.19.130.201 obj-10.19.130.201 destination static obj-172.30.7.0 obj-172.30.7.0 no-proxy-arp route-lookup
  nat (inside,any) source static Serversubnet Serversubnet destination static XYZ_destinations XYZ_destinations no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.10.1.0 obj-10.10.1.0 destination static obj-10.2.0.0 obj-10.2.0.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-XXXXXXXX obj-XXXXXXXX no-proxy-arp route-lookup
  nat (inside,any) source static obj-10.19.130.0 obj-10.19.130.0 destination static obj-145.248.194.0 obj-145.248.194.0 no-proxy-arp route-lookup
  nat (inside,outside) source static obj-10.1.134.100 obj-10.9.124.100
  nat (inside,outside) source static obj-10.1.134.101 obj-10.9.124.101
  nat (inside,outside) source static obj-10.1.134.102 obj-10.9.124.102
  nat (inside,outside) source dynamic obj-10.8.108.0 interface
  nat (inside,outside) source dynamic obj-10.19.130.0 obj-115.111.99.129
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.159.133 obj-195.254.159.133
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-195.254.158.136 obj-195.254.158.136
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.0 obj-209.164.192.0
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.208.19 obj-209.164.208.19
  nat (inside,outside) source dynamic obj-10.1.134.0 obj-115.111.99.129 destination static obj-209.164.192.126 obj-209.164.192.126
  nat (inside,outside) source dynamic obj-10.8.100.128 obj-115.111.99.130
  nat (inside,outside) source dynamic obj-10.10.0.0 obj-115.111.99.132
  nat (inside,outside) source static obj-10.10.1.45 obj-115.111.99.133
  nat (inside,outside) source dynamic obj-10.99.132.0 obj-115.111.99.129
  object network obj-172.17.10.3
  nat (XYZ_DMZ,outside) static 115.111.99.134
  access-group acl-outside in interface outside
  route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
  route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
  route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
  route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
  route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
  route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
  route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
  route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
  route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
  route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
  route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
  route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set vpn2 esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn6 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set vpn5 esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn7 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set vpn4 esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn1 esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn_reliance esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set c2s_vpn esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto dynamic-map dyn1 1 set ikev1 transform-set c2s_vpn
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map vpn 1 match address XYZ
  crypto map vpn 1 set peer XYZ Peer IP
  crypto map vpn 1 set ikev1 transform-set vpn1
  crypto map vpn 1 set security-association lifetime seconds 3600
  crypto map vpn 1 set security-association lifetime kilobytes 4608000
  crypto map vpn 2 match address NE
  crypto map vpn 2 set peer NE_Peer IP
  crypto map vpn 2 set ikev1 transform-set vpn2
  crypto map vpn 2 set security-association lifetime seconds 3600
  crypto map vpn 2 set security-association lifetime kilobytes 4608000
  crypto map vpn 4 match address ML_VPN
  crypto map vpn 4 set pfs
  crypto map vpn 4 set peer ML_Peer IP
  crypto map vpn 4 set ikev1 transform-set vpn4
  crypto map vpn 4 set security-association lifetime seconds 3600
  crypto map vpn 4 set security-association lifetime kilobytes 4608000
  crypto map vpn 5 match address XYZ_global
  crypto map vpn 5 set peer XYZ_globa_Peer IP
  crypto map vpn 5 set ikev1 transform-set vpn5
  crypto map vpn 5 set security-association lifetime seconds 3600
  crypto map vpn 5 set security-association lifetime kilobytes 4608000
  crypto map vpn 6 match address Da_VPN
  crypto map vpn 6 set peer Da_VPN_Peer IP
  crypto map vpn 6 set ikev1 transform-set vpn6
  crypto map vpn 6 set security-association lifetime seconds 3600
  crypto map vpn 6 set security-association lifetime kilobytes 4608000
  crypto map vpn 7 match address Da_Pd_VPN
  crypto map vpn 7 set peer Da_Pd_VPN_Peer IP
  crypto map vpn 7 set ikev1 transform-set vpn6
  crypto map vpn 7 set security-association lifetime seconds 3600
  crypto map vpn 7 set security-association lifetime kilobytes 4608000
  crypto map vpn interface outside
  crypto map vpn_reliance 1 match address XYZ_rim
  crypto map vpn_reliance 1 set peer XYZ_rim_Peer IP
  crypto map vpn_reliance 1 set ikev1 transform-set vpn_reliance
  crypto map vpn_reliance 1 set security-association lifetime seconds 3600
  crypto map vpn_reliance 1 set security-association lifetime kilobytes 4608000
  crypto map vpn_reliance interface outside_rim
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto isakmp identity address
  no crypto isakmp nat-traversal
  crypto ikev1 enable outside_rim
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 2
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  crypto ikev1 policy 4
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28000
  crypto ikev1 policy 5
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 10.8.100.0 255.255.255.224 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  no threat-detection basic-threat
  no threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy XYZ_c2s_vpn internal
  username testadmin password oFJjANE3QKoA206w encrypted
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXXtype ipsec-l2l
  tunnel-group XXXXXXXXipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXX ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group XYZ_c2s_vpn type remote-access
  tunnel-group XYZ_c2s_vpn general-attributes
  address-pool XYZ_c2s_vpn_pool
  tunnel-group XYZ_c2s_vpn ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
    inspect ip-options
  service-policy global_policy global
  privilege show level 3 mode exec command running-config
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command crypto
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
  : end
  XYZ#

  Thanks Javier.
  But i have revised the VPN confuration. Below are the latest configs. with this latest configs. I'm getting username & password screen while connecting cisco vpn client software. once we entered the login credential. it shows "security communication channel" then it goes to "not connected" state. Can you help me to fix this.
  access-list ACL-RA-SPLIT standard permit host 10.10.1.3
  access-list ACL-RA-SPLIT standard permit host 10.10.1.13
  access-list ACL-RA-SPLIT standard permit host 10.91.130.201
  access-list nonat line 1 extended permit ip host 10.10.1.3 172.30.10.0 255.255.255.0
  access-list nonat line 2 extended permit ip host 10.10.1.13 172.30.10.0 255.255.255.0
  access-list nonat line 3 extended permit ip host 10.91.130.201 172.30.10.0 255.255.255.0
  ip local pool CO-C2S-VPOOL 172.30.10.51-172.30.10.254 mask 255.255.255.0
  group-policy CO-C2S internal
  group-policy CO-C2S attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list vlauel ACL-RA-SPLIT
  dns-server value 10.10.1.3
  tunnel-group TUN-RA-SPLIT type remote-access
  tunnel-group TUN-RA-SPLIT general-attributes
  default-group-policy CO-C2S
  address-pool CO-C2S-VPOOL
  tunnel-group TUN-RA-SPLIT ipsec-attributes
  pre-shared-key sekretk3y
  username ra-user1 password passw0rd1 priv 1
  group-policy CO-C2S internal
  group-policy CO-C2S attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list vlauel ACL-RA-SPLIT
  dns-server value 10.10.1.3
  tunnel-group TUN-RA-SPLIT type remote-access
  tunnel-group TUN-RA-SPLIT general-attributes
  default-group-policy CO-C2S
  address-pool CO-C2S-VPOOL
  tunnel-group TUN-RA-SPLIT ipsec-attributes
  pre-shared-key *********
  username ******* password ******** priv 1
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set 3DES
  crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
  crypto isakmp identify address
  crypto isakmp enable outside
  crypto isakmp policy 100
  authentication pre-share
  encr 3des
  hash sha
  crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set 3DES
  crypto map Outside_Map 500 ipsec-isakmp dynamic dynmap
  crypto map vpn interface outside
  crypto isakmp identify address
  crypto isakmp enable outside
  crypto isakmp policy 100
  authentication pre-share
  encr 3des
  hash sha
  group 1
  lifetime 3600

• Urgent - Site to Site VPN - sequence of reply and timed out

  We have a Site to Site VPN with another company that hosts an application server. If I setup a ping -r from my windows computer to their server i will received about 150 successful ping replies then 13 request timed out and this repeats endlessly. We have both triple checked our settings and are not aware of any changes at either end that was made.
  Any help in troubleshooting would be greatly appreciated.
  Thanks
  We have an ASA5505 and they have a Palo Alto product.

  thanks for the two replies. Our ASA5505 does have a IPS module -
  ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5 but I have turned it off . This peer has two subnets and we have the issue pinging to hosts in both the subnets. The main issue is when we are connected to the application on their end we get disconnected after two minutes, the ping i am using as a test which validates we are having packet loss.
  debug crypto isakmp 255 & debug crypto ipsec 255 show no issues and in adsm i select monitoring , logging debug and view i don't see anything specific blocking traffic when the pings time out.
  any other ideas/suggestions appreciated!
  thanks

• Site to Site VPN issues between PIX506 and ASA5505

  Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
  Corporate
  PIX Version 6.3(5)
  access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
  access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
  ip address outside xxx.yyy.170.160 255.255.255.0
  ip address inside 192.168.119.1 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
  crypto map mymap 20 ipsec-isakmp
  crypto map mymap 20 match address outside_cryptomap_20
  crypto map mymap 20 set pfs group2
  crypto map mymap 20 set peer aaa.bbb.175.218
  crypto map mymap 20 set transform-set ESP-3DES-SHA
  crypto map mymap 65535 ipsec-isakmp dynamic dynmap
  crypto map mymap client authentication w2k3
  crypto map mymap interface outside
  isakmp enable outside
  isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 10
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption aes-256
  isakmp policy 30 hash sha
  isakmp policy 30 group 5
  isakmp policy 30 lifetime 86400
  vpngroup vpners address-pool ippool
  vpngroup vpners dns-server 192.168.119.11
  vpngroup vpners default-domain mydomain.local
  vpngroup vpners split-tunnel split_tunnel
  vpngroup vpners idle-time 1800
  vpngroup vpners password ********
  Remote Site
  ASA Version 7.2(2)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.2.1 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address aaa.bbb.175.218 255.255.128.0
  access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer xxx.yyy.170.160
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  tunnel-group xxx.yyy.170.160 type ipsec-l2l
  tunnel-group xxx.yyy.170.160 ipsec-attributes
  pre-shared-key *

  I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

• HT1711 I puchased 3 songs and was charged and never downloading their currently sitting there with download error and when i tap to retry it still wont download waht can i do as i have been charged?

  I puchased 3 songs and was charged and never downloading their currently sitting there with download error and when i tap to retry it still wont download waht can i do as i have been charged?

  Have you tried signing out of itunes and then signing back in