Site to Site VPN with Natting Internal IP address range?

This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to
Translated address: 10.254.9.64.255.255.255.192(Internal)
Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)
Based on above parameters I done this configuration
access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
static (inside,outside) 10.254.9.64 access-list policy-nat
I got all the Phase1 and Phase 2 parameters required and peer public ip add,
I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

Hi mate,
yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,
One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue
config is as folllows:
access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192
access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192
static (inside,outside) 10.254.7.64 access-list policy-nat
crypto ipsec transform-set esp-aes256-sha esp-md5-hmac
crypto map outside_map 20 match address pp-vpn
crypto map outside_map 20 set peer 172.162.1.2
crypto map outside_map 20 set transform-set vpn1
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp policy 65 encyptio
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel type ipsec-l2l
tunnel-group 172.162.1.2 ipsec-attributes
pre-shared-key *
Thank you immensly for all your assitance
ven

Similar Messages

RV042 Site-to-Stie VPN with NAT on one side

I set up a site-to-site VPN using two RV042s some time ago. One was behind a NATting router. The other was the internet interface itself.
Somewhere I had found a paper describing how to do this. It said that only ONE of them could be behind another NATting router. So, that's how this was set up. I sure wish I could find that paper again!!! Any suggestions?
Now I have to do the same thing again but can't get it working. It looks like this:
RV042 VPN public address <> cable modem <> internet <> RV042 "firewall" with IPSEC passthrough enabled <> interim subnet LAN <> RV042 VPN <> LAN
I'm getting log messages and on the remote site log (the left side of the above) like:
initial Aggressive Mode packet claiming to be from [xxx.xxx.xxx.xxx] on [same] but no connection has been authorized
and
No suitable connection for peer '10.98.76.2', Please check Phase 1 ID value
(where 10.98.76.2 is the IP address of the RV042 WAN port on the interim subnet)
I have them both in Aggressive mode as eventually I'll be using a dyndns url. But, for now, I'm using the actual IP addresses so that should not be an issue one way or the other..

make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

Router to Router VPN with Overlapping internal networks

Hello Experts,
One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
Any link or config will be appreciated. I've been looking but no luck.
Thanks,
Randall

Randall,
Please refer the below URL for configuration details:
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Let me know if it helps.
Regards,
Arul
** Please rate all helpful posts **

Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range).

Hello Everyone,
Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
Thanks,
Rishi

Rishi,
Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
Thanks,
Tarik Admani

Site-to-ste VPN with overlapped subnet.

Hi Friends
I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint what is the best parctice to achive tis goal
Thanks in advance

It has to be configured on both sides.
X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.
On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Limitation on source group with services using ip address range

Hello,
I have an interface on CSS which I regard as public and another interface I regard as private. On the private interface is a server farm with private ip addresses. Since the server admin guys insisted the servers need to access internet just for Windows Update, I made a source group to NAT the private addresses to public addresses to allow the servers to access internet.
I defined services for use by the source group. Since keepalive is not important in this case, I set keepalive none to ,I hope so, save system resources.
I have server 192.168.1.1-5 (5 servers) and 192.168.1.11-14 (4 servers), so I made a service with ip address 192.168.1.1 range 5 and another service 192.168.1.11 range 4.
But then I found that the two services cannot be put in the same source group. It is because of the different range in the service definition.
I can get it work if I define services with single ip address, but then I will have a long configuration with repetative information. And I think this may be using more system resources.
I can also get it work if I include 192.168.11.15 and define two services both with a range of 5 ip addresses. But 192.168.11.15 is not actually there.
Why is there such a limitation on source group, or services with ip address range? Is there the same limitation for content rules? Or am I getting it all wrong and should do the configuration in other ways?
Advices will be welcomed.
CT Yau
Hong Kong

Yes you are correct. There is a limitation while adding services into source groups.
You can create as many services that share an ip range (eg. a /24 subnet range). But the trouble starts when you add them into source groups. You can not add them into a source group NOR you can add them under different source groups as well.
You mentioned that you can use single ip adress instead of range for the services...but it is not true as you will be stuck when you add them into source groups.
I can think of these following options in your case.
Option 1
Change the ip range on the servers. Use 2 different IP ranges one for those 5 servers and another for those 4 servers.
Create 2 services for each range.
Create 2 groups and add the services.
service server-out-192.168.1.1-5
ip address 192.168.1.1 range 5
active
service server-out-172.168.1.11-14
ip address 192.168.1.11 range 4
active
group server-out-192.168.1.11-14
vip address x.x.x.1
add server-out-192.168.1.1-5
active
group server-out-172.168.1.11-14
vip address x.x.x.2
add server-out-172.168.1.11-14
active
Option 2
Create a service that includes all the ip addresses starting from 192.168.1.1 through .14 using the range keyword.
Now you need to create one source group with a VIP. Add the service to the source group.
If you do not want to cover the unassigned ip addresses just move them up and use consecutive ones.
service server-out-192.168.1.1-14
ip address 192.168.1.1 range 14
active
group server-out-192.168.1.11-14
vip address x.x.x.x
add service server-out-192.168.1.1-14
active
thanks

Cisco ASA Site to Site IPSEC VPN and NAT question

Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.

Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni

ASA 5505 Site to Site VPN issue

I have been trying to configure a siste to site vpn for a few days now, but not able to get it to connect. The only difference between the two, is one has a dynamic ip. this vpn isn't a priority, so there isn't a need to have the dynamic moved to a static at this time. Here is my configs on both ASA's. any help would be greatly appreciated. I replaced the IP's with x.x.x.x
ASA 1:
Result of the command: "SHOW RUN"
: Saved
ASA Version 9.0(1)
hostname ciscoasa
enable password Yn8Esq3NcXIHL35v encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPNDHCP 10.50.50.1-10.50.50.100 mask 255.0.0.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
switchport trunk allowed vlan 1,3,13
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
switchport trunk allowed vlan 1,3
switchport mode trunk
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif EP
security-level 100
ip address 192.168.20.254 255.255.255.0
boot system disk0:/asa901-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network GLE-A-Network
subnet 10.0.0.0 255.0.0.0
object network GLE-B-Network
subnet 192.168.2.0 255.255.255.0
object network Web-Server
host 10.0.61.230
object network obj-Guest
subnet 192.168.1.0 255.255.255.0
description Guest Wireless
object network Spiceworks
host 10.0.1.2
object network NETWORK_OBJ_10.50.50.0_25
subnet 10.50.50.0 255.255.255.128
object network Remote-Desktop-Services
host 10.0.1.2
object network Web-Server-SSL
host 10.0.23.1
object service RDP
service tcp source eq 3389 destination eq 3389
object network RemoteDesktop
host 10.0.61.240
object network obj-PerryCameras-1
host 10.0.36.1
object network obj-PerryCameras-2
host 10.0.36.1
object network obj-PerryCameras-3
host 10.0.36.1
object network DHCP-Server
host 10.0.1.1
object network GLE-B-Firewall
host X.X.X.X
object network EP-Network
subnet 192.168.26.0 255.255.255.0
object network EP-Firewall
host X.X.X.X
object network obj-BLDGa
subnet 192.168.33.0 255.255.255.0
object network FTP
host 10.0.61.230
object-group service SpiceworksPorts tcp
description https
port-object eq https
object-group service RemoteDesktopServices
service-object tcp-udp destination eq 3389
object-group service RDS tcp
description Remote Desktop Services
port-object eq 3389
port-object eq https
object-group service Phone1 tcp
port-object eq 5522
object-group service Phone udp
port-object range 10001 20000
port-object eq 5522
object-group service Phones tcp-udp
port-object range 10001 20000
port-object eq 5222
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PerryCameras tcp-udp
port-object eq 180
port-object eq 181
port-object eq 9000
object-group service Camera1 tcp-udp
port-object eq 9000
object-group service Camera2 tcp-udp
port-object eq 881
object-group service Camera3 tcp-udp
port-object eq 1801
access-list outside_cryptomap extended permit ip object GLE-A-Network object GLE-B-Network
access-list outside_access_in extended permit tcp any4 object Web-Server eq www
access-list outside_access_in extended permit tcp any object Web-Server-SSL eq https
access-list outside_access_in extended permit tcp any object RemoteDesktop eq 3389
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-1 object-group Camera1
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-2 object-group Camera2
access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-3 object-group Camera3
access-list outside_access_in extended permit tcp any4 object FTP eq ftp
access-list guest_in extended permit udp any4 host 208.67.222.222 eq domain
access-list guest_in extended permit udp any4 host 208.67.220.220 eq domain
access-list guest_in extended deny udp any4 any4 eq domain
access-list guest_in extended permit ip any4 any4
access-list EP_access_in extended permit object-group TCPUDP any4 any4 eq domain
access-list EP_access_in extended permit ip any4 any4
access-list outside_cryptomap_1 extended permit ip object GLE-A-Network object EP-Network
pager lines 24
logging enable
logging asdm informational
mtu Internal 1500
mtu outside 1500
mtu Guest 1500
mtu EP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Internal,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup
nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static GLE-B-Network GLE-B-Network no-proxy-arp route-lookup
nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
nat (EP,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup
object network obj_any
nat (Internal,outside) dynamic interface
object network Web-Server
nat (Internal,outside) static interface service tcp www www
object network obj-Guest
nat (Guest,outside) dynamic interface
object network Spiceworks
nat (Internal,outside) static interface service tcp 8080 8080
object network Web-Server-SSL
nat (Internal,outside) static interface service tcp https https
object network RemoteDesktop
nat (Internal,outside) static interface service tcp 3389 3389
object network obj-PerryCameras-1
nat (Internal,outside) static interface service tcp 9000 9000
object network obj-PerryCameras-2
nat (any,outside) static interface service tcp 881 881
object network obj-PerryCameras-3
nat (Internal,outside) static interface service tcp 1801 1801
object network FTP
nat (Internal,outside) static interface service tcp ftp ftp
access-group outside_access_in in interface outside
access-group guest_in in interface Guest
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 1:00:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server PolicyServer protocol radius
aaa-server PolicyServer (Internal) host 10.0.1.1
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Internal
http authentication-certificate Internal
snmp-server host Internal 10.200.200.11 community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Internal
crypto ikev2 enable outside
crypto ikev1 enable Internal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.229 Guest
dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
dhcprelay server 10.0.1.1 Internal
dhcprelay enable Guest
dhcprelay setroute Guest
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
dynamic-filter enable interface Internal
dynamic-filter enable interface outside
dynamic-filter enable interface Guest
dynamic-filter drop blacklist
ntp server 10.0.1.1 source Internal prefer
webvpn
anyconnect-essentials
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy VPNUSER internal
group-policy VPNUSER attributes
dns-server value 10.0.1.1 192.168.2.230
vpn-tunnel-protocol ikev1
username admin password kSXIy6qd1ZTBFL9/ encrypted
username danpoynter password XEQ0M75K1B1E6VtM encrypted privilege 0
username danpoynter attributes
vpn-group-policy VPNUSER
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:b29f5ff3b9db58467b0eb509bc068c2f
: end
ASA 2:
Result of the command: "SHOW RUN"
: Saved
ASA Version 9.0(1)
hostname ciscoasa
enable password TYEBBb7SkpIC3BiW encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool remotevpnusers 192.168.12.25-192.168.12.55 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 4
interface Ethernet0/2
switchport access vlan 3
switchport trunk allowed vlan 3-4
interface Ethernet0/3
switchport access vlan 20
interface Ethernet0/4
switchport access vlan 21
interface Ethernet0/5
switchport access vlan 22
interface Ethernet0/6
switchport access vlan 4
switchport trunk allowed vlan 3-4,20-22
switchport mode trunk
interface Ethernet0/7
interface Vlan1
nameif Management
security-level 100
ip address 192.168.31.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
interface Vlan3
description EP Guest Network
no forward interface Vlan4
nameif Guest
security-level 50
ip address 192.168.27.1 255.255.255.0
interface Vlan4
nameif Internal
security-level 100
ip address 192.168.26.254 255.255.255.0
interface Vlan20
description BLDG-A Subnet
nameif BLDG-A
security-level 100
ip address 192.168.20.254 255.255.255.0
interface Vlan21
nameif BLDG-B
security-level 100
ip address 192.168.21.254 255.255.255.0
interface Vlan22
nameif BLDG-C
security-level 100
ip address 192.168.22.254 255.255.255.0
boot system disk0:/asa901-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.12.0_26
subnet 192.168.12.0 255.255.255.192
object network NETWORK_OBJ_192.168.26.0_24
subnet 192.168.26.0 255.255.255.0
object network obj-KeoweeCameras
host 192.168.26.10
description Keowee Street Cameras
object network Inside
subnet 192.168.26.0 255.255.255.0
description Inside Network Route
object network Guest
subnet 192.168.27.0 255.255.255.0
description Guest Network Route
object network Internal
subnet 192.168.26.0 255.255.255.0
object network obj-HunterCameras
host 192.168.21.20
description Hunter Cameras
object network obj-Spiceworks
host 192.168.26.8
object network Electro-Polish-Network
subnet 192.168.26.0 255.255.255.0
object network GLE-Firewall
host x.x.x.x
object network GLE-Network
subnet 10.0.0.0 255.0.0.0
object network BLDG-A
subnet 192.168.20.0 255.255.255.0
object network BLDG-B
subnet 192.168.21.0 255.255.255.0
object network BLDG-C
subnet 192.168.22.0 255.255.255.0
object network DCG-Server01
host 192.168.26.9
object network NETWORK_OBJ_192.168.21.0_24
subnet 192.168.21.0 255.255.255.0
object network VPN-POOL
subnet 192.168.12.0 255.255.255.0
object network EP-VPN-Network
subnet 192.168.26.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service CameraSystem tcp-udp
port-object eq 18004
port-object eq 26635
port-object eq 76
access-list electroremote_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
access-list electroremote_splitTunnelAcl standard permit 192.168.22.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-KeoweeCameras object-group CameraSystem
access-list outside_access_in extended permit object-group TCPUDP any4 object obj-HunterCameras object-group CameraSystem
access-list outside_access_in extended permit tcp any4 object obj-Spiceworks eq https
access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq https
access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq www
access-list Guest_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list Guest_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list Guest_access_in extended deny udp any4 any4 eq domain
access-list Guest_access_in extended permit ip any4 any4
access-list inside_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list inside_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list inside_access_in extended deny udp any4 any4 eq domain
access-list inside_access_in extended permit ip any4 any4
access-list Internal_access_in extended permit udp any4 host 208.67.222.222 eq domain
access-list Internal_access_in extended permit udp any4 host 208.67.220.220 eq domain
access-list Internal_access_in extended deny udp any4 any4 eq domain
access-list Internal_access_in extended permit ip any any4
access-list ip-qos extended permit ip 192.168.27.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.27.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.20.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.21.0 255.255.255.0
access-list electroremote_splittunnelacl standard permit 192.168.22.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.26.0 255.255.255.0 object GLE-Network
pager lines 24
logging enable
logging asdm informational
mtu Management 1500
mtu outside 1500
mtu Guest 1500
mtu Internal 1500
mtu BLDG-A 1500
mtu BLDG-B 1500
mtu BLDG-C 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (BLDG-A,outside) source static BLDG-A BLDG-A destination static VPN-POOL VPN-POOL
nat (BLDG-B,outside) source static BLDG-B BLDG-B destination static VPN-POOL VPN-POOL
nat (BLDG-C,outside) source static BLDG-C BLDG-C destination static VPN-POOL VPN-POOL
nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (Internal,outside) source static Electro-Polish-Network Electro-Polish-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
nat (Internal,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (outside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup
nat (Internal,outside) source static EP-VPN-Network EP-VPN-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup
nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static GLE-Network GLE-Network no-proxy-arp route-lookup
object network obj_any
nat (Internal,outside) dynamic interface
object network obj-KeoweeCameras
nat (Internal,outside) static x.x.x.x
object network Inside
nat (Internal,outside) dynamic interface
object network Guest
nat (Guest,outside) dynamic x.x.x.x
object network Internal
nat (Internal,outside) dynamic interface
object network obj-HunterCameras
nat (BLDG-B,outside) static x.x.x.x
object network obj-Spiceworks
nat (Internal,outside) static x.x.x.x service tcp https https
object network BLDG-A
nat (BLDG-A,outside) dynamic interface
object network BLDG-B
nat (BLDG-B,outside) dynamic interface
object network BLDG-C
nat (BLDG-C,outside) dynamic interface
object network DCG-Server01
nat (any,any) static x.x.x.x
access-group inside_access_in in interface Management
access-group outside_access_in in interface outside
access-group Guest_access_in in interface Guest
access-group Internal_access_in in interface Internal
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS protocol radius
aaa-server IAS (Internal) host 192.168.26.1
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.31.0 255.255.255.0 Management
http 192.168.26.0 255.255.255.0 Internal
http x.x.x.x 255.255.255.255 outside
http authentication-certificate Management
snmp-server host Internal 192.168.26.8 community ***** version 2c
snmp-server location Building A
snmp-server contact Dan Poynter
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map BLDG-B_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map BLDG-B_map interface BLDG-B
crypto map BLDG-A_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map BLDG-A_map interface BLDG-A
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable Internal
crypto ikev1 enable outside
crypto ikev1 enable Internal
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.26.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Internal
dhcpd auto_config outside
dhcpd address 192.168.27.50-192.168.27.100 Guest
dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
dhcprelay server 192.168.26.1 Internal
dhcprelay server 192.168.26.2 Internal
dhcprelay enable Guest
dhcprelay enable BLDG-A
dhcprelay enable BLDG-B
dhcprelay enable BLDG-C
dhcprelay setroute Guest
dhcprelay setroute BLDG-A
dhcprelay setroute BLDG-B
dhcprelay setroute BLDG-C
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy electroremote internal
group-policy electroremote attributes
dns-server value 192.168.26.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value electroremote_splitTunnelAcl
default-domain value electropolish.local
username epadmin password Iu2OqCfOGoYIZ5iC encrypted privilege 15
username epadmin attributes
service-type nas-prompt
tunnel-group electroremote type remote-access
tunnel-group electroremote general-attributes
address-pool remotevpnusers
authentication-server-group IAS
default-group-policy electroremote
tunnel-group electroremote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map qos
description qos policy
match access-list ip-qos
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map qos
class qos
police output 1048500 1048576
police input 256000 256000
service-policy global_policy global
service-policy icmp_policy interface outside
service-policy qos interface Guest
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f2034bf1ad61529c601c097d6f60bad
: end

Hi,
Are you saying that all traffic is working from central site to remote site when remote sites devices are in the "inside" Vlan? All but the phones even if they are in the "inside" Vlan?
Are you sure you have the NAT configurations correctly on the remote site for the other LAN interface?
Are you seing any connections from the phones when they are in the original "inside" interface of the remote ASA? Dont they usually get the Call Manager IPs from the DHCP server and then connect with TFTP to the Call Manager after which they form a TCP/2000 port connection to the Call Manager? I'm not really familiar with Cisco Phones other than what I see on the firewalls from time to time.
Are you sure you remote ASA and Switch are configure correctly when you add the second Vlan to the switch? Can you see the phones on the remote ASA with "show arp" command when they are powered on?
There should not be identical security-levels on the interfaces of the remote ASA unless the phones need to connect to the other local "inside" network. Then it would be logical for the interfaces both to be security-level 100. Interface "outside" is usually set to 0.
Guess we would need to see the configurations for the ASAs to confirm that everything is in order.
- Jouni

Site to Site and Remote Access VPN

Hi All,
Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks Community

A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Lync Implementation with different internal and external domain sync

Hello Experts,
Having Windows 2012r2 with Lync 2013 frontend and Edge 2012 server on Win2012. Internal domain name is test.local and Internet domain name is : tgroup.com. Internally all the clients are able to sync with frontend
server using [email protected] or [email protected] Internal CA and External Digicert works fine. But only problem is with external clients who want to communicate through edge server.
Edge server has 3 LAN ip address (nat with public IP), 10.10.10.2, 10.10.10.3, 10.10.10.4 and another Internal network interface which has ip 10.10.20.3
which uses that to communicate with front-end.
How to achieve this ? We dont have reverse proxy configured and we have only two servers.
Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

The reverse proxy is used to publish URL's like the meet and dialin url, the address book url and the lync mobile client (smart phones and tablets) urls. This doesn't impact the external desktop user access as thats via the edge server. There is more to
it than that but for the sake of keeping this simple lets stick to that for now.
As far as SIP domains go. Think of your Lync users as having a SIP address similar to email addresses. You wouldn't have a user with an internal email address but with a different external email address. In fact best practice is to have the Lync SIP address
match the email address.
My reccomendation is to use the ttgoup.com as a sip domain and not the test.local
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
Lync Sorted blog

From Azure unable to connect internal LAN network with windows RRAS site to site VPN

Hi All,
Below is my scenario.
Our side.
We have installed RRAS on Windows 2012 R2 on VMware and created a site to site VPN with azure.
on RRAS server we have two interfaces
eth0- 10.1.1.1
eth1- 10.1.1.2
We have natted(static nat) internal ip (eth0) 10.1.1.1 with public ip 1.1.1.1 (eg.).
On Azure,
We created a gateway, and two VMs.
VM1 = 11.11.11.1
VM2 = 11.11.11.2
Both VMs can ping each other.
VPN gateway on Azure and demand dial on RRAS server shows connected and, in and out data shows as well.
We can ping, tracert and rdp the RRAS server using both the interfaces IP [eth0- 10.1.1.1 , eth1- 10.1.1.2]
But we are unable to ping, tracert or rdp our other internal Lan machines on 10.1.x.x
So we can reach Azure VM from our RRAS and
we can reach RRAS server from Azure VM.
But we cannot reach our other internal Lan machines from Azure VM and from other internal Lan machine to Azure VM.
Please help?

I will give you some pointers to check.
The reason for this could be one of the two
- local site in azure virtual network is not configured correctly
- route for the azure subnet is not setup correctly on rras server
Can you please validate the above?
Open the Routing and Remote access UI and verify that there is a static route for azure subnet and the interface is the public ip of the azure gateway.
Also verify that you have a local site created with the on-premises subnet and added in the azure virtual network.
What is the gateway specified in the on-premises VM. Provide it as the IP of eth1, the IP that is not natted
Is NAT allowing all traffic in or is it restricted to certain points.
This posting is provided "AS IS" with no warranties, and confers no rights

Site to Site VPN with 2 ASA 5510's

Hello guys,
Im hoping yall can help me with the following objective. I have been tasked to make a site to site VPN between two networks. We are both using an ASA 5510.
This is the scenario:
SiteA has an wan adress of (example) 20.20.20.20 - The firewall is connected to a DMZ range : 192.168.0.0 255.255.255.0. In this range there is another firewall which grants/blocks acces to the internal range. 10.20.0.0 255.255.0.0
SiteB has an wan adress of (example) 21.21.21.21 - The internal range is 10.0.0.0 255.0.0.0 No DMZ.
How can i connect these 2 devices since there is an overlap. I am gonna need to use nat right? Can someone give me readable Access rule/Nat Rule and maybe advice / some other things i need to think of.
Hope to hear from yall. Any advice is highly appriciated.
Thanks in advance

Hi,
Well regarding the remote site I suppose if they are using hosts from ranges 10.0.1.0/24 and 10.0.2.0/24 they could simply NAT these portions of the network towards the L2L VPN connection. For example NAT them to subnets 192.168.101.0/24 and 192.168.102.0/24
But you also seem to have a large subnet on your side since its 10.20.0.0/16. Because of this I would suggest narrowing it down to the hosts or smaller subnets like above with the remote site because simply NATing the whole subnet 10.20.0.0/16 to some other private range that is NOT from the 10.0.0.0/8 range would probably cause problems in the long run.
Lets presume that on your side the network that needs to access the L2L VPN is 10.20.1.0/24 and we would NAT that to 192.168.201.0/24 then your NAT configuration could look like this
object network DMZ-INTERNAL
subnet 10.20.1.0 255.255.255.0
object network DMZ-INTERNAL-NAT
subnet 192.168.201.0 255.255.255.0
object-group network REMOTE-NETWORKS
network-object 192.168.101.0 255.255.255.0
network-object 192.168.102.0 255.255.255.0
nat (dmz,outside) 1 source static DMZ-INTERNAL DMZ-INTERNAL-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS
In the above configuration we first create an "object" for both the actual internal DMZ subnet and the subnet that we will NAT it to. Then we create an "object-group" that will have inside it both of the remote NATed networks (NAT performed at the remote site).
Finally the "nat" command itself will perform NAT between "dmz" and "outside" interface and it will NAT "DMZ-INTERNAL" to "DMZ-INTERNAL-NAT" when the destination is "REMOTE-NETWORKS". The NAT configuration is bidirectional so it naturally handles which ever directin the connection is attempted. The names of the objects are up to the user.
The ACL that defines the local and remote networks for the L2L VPN should use the NAT subnets of each site.
If you want to restrict the traffic from the remote site then this can be done in a couple of ways. At its default settings the ASA will allow ALL traffic from the remote site behind the L2L VPN connection.
You can use the command "show run all sysopt" to list some configurations that will tell us how your ASA has been set to handle VPN related traffic. The command we are looking for is "sysopt connection permit-vpn". This is the default setting that allows all traffic from VPN connections. If you were to change this to "no sysopt connection permit-vpn" then you could simply use the interface ACL of the interface that terminates the L2L VPN connection on your side to select what traffic is allowed. You would allow traffic the same way as if you were allowing traffic from Internet to your servers.
The problem with this setup is if you have other existing VPN connections (VPN Client and L2L VPN) because they would also require their traffic to be allowed in your external interfaces ACL if you changed the above mentioned global setting.
The other option is to configure a VPN Filter ACL that you will then attach to a "group-policy". You will then attach that "group-policy" to the "tunnel-group" of the L2L VPN connection.
The actual ACL used for the VPN Filter purpose is a norma ACL but you will always have to configure the remote network as the source in the ACL and this usually causes some confusion.
- Jouni

Setting up Site-to-Site VPN and nat on IOS

I have a senario I am looking to setup. I have a Cisco 3825 router that handles roughly 50 site-to-site VPN's. I have a particular VPN where I would like to nat (actually overload) off an interface for a specific VPN site-to-site tunnel. I know when you are doing nat you of course have an inside and an outside interface which I do on the router but how would you overload (pat) on an interface for just a specific VPN tunnel? Say you wanted to overload your entire internal supernet to a single private (RFC 1918) interface addess? Typically the outside interface (nat outside) what you would overload off of has a public ip address, but in this case you want to use a private RFC 1918 address as the source of the overload interface?
Any help is appreciated.

hi ,
did you think of using a normal statment and use a route map with that statment that only permit the VPN traffic to be natted using that statment and deny any other translation , and for the crypto access-list you should use the source as the pattted ip address and the destination as the the remote proxies .
regards.

Remote Access VPN with existing site-to-site tunnel

Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?

Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
   next-payload : 13
   type         : 11
   group id     : timothy
   protocol     : 17
   port         : 500
   length       : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption AES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:      keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash SHA
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP:      encryption DES-CBC
*Oct 9 20:43:16: ISAKMP:      hash MD5
*Oct 9 20:43:16: ISAKMP:      default group 2
*Oct 9 20:43:16: ISAKMP:      auth pre-share
*Oct 9 20:43:16: ISAKMP:      life type in seconds
*Oct 9 20:43:16: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE

Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
    a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxs

Hi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.0.0     campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.150.1   255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit

Site to Site VPN with Natting Internal IP address range?

Similar Messages

Maybe you are looking for