Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

Similar Messages

• Cisco VPN 3002 to Cisco ASA 5505

  I want to remove a Cisco VPN 3002 Hardware client and replace it with a Cisco ASA 5505.  Is there a way to do this? I want to have the remote user and group authentication and no split tunneling.? 
  Thanks for your help.

  Sure can.
  Here is a sample configuration for ASA5505 acting as a remote hardware easy vpn client (like the VPN3002):
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml
  If you don't want split tunneling, then I assume that it is in PAT/client mode instead of NEM mode as above sample configuration.
  You can just change the "vpnclient mode network-extension-mode" to "vpnclient mode client-mode"
  Hope this helps.

• Unable to access secondary subnet from VPN client

  Please can someone help with the following; I have an ASA 5510 running v8.4(3)9 and have setup a remote user VPN using the Cisco VPN client v5.0.07.0410 which is working appart from the fact that I cannot access resources on a secondary subnet.
  The setup is as follows:
  ASA inside interface on 192.168.10.240
  VPN clients on 192.168.254.x
  I can access reources on the 192.168.10 subnet but not any other subnets internally, I need to specifically allow access to the 192.168.20 subnet, but I cannot figure out how to do this please advise, the config is below: -
  Result of the command: "show startup-config"
  ASA Version 8.4(3)9
  hostname blank
  domain-name
  enable password encrypted
  passwd encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 255.255.255.224
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.10.240 255.255.255.0
  interface Ethernet0/2
  nameif DMZ
  security-level 50
  ip address 10.10.10.253 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  boot system disk0:/asa843-9-k8.bin
  boot system disk0:/asa823-k8.bin
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 194.168.4.123
  name-server 194.168.8.123
  domain-name nifcoeu.com
  object network obj-192.168.0.0
  subnet 192.168.0.0 255.255.255.0
  object network obj-192.168.5.0
  subnet 192.168.5.0 255.255.255.0
  object network obj-192.168.10.0
  subnet 192.168.10.0 255.255.255.0
  object network obj-192.168.100.0
  subnet 192.168.100.0 255.255.255.0
  object network obj-192.168.254.0
  subnet 192.168.254.0 255.255.255.0
  object network obj-192.168.20.1
  host 192.168.20.1
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-01
  subnet 0.0.0.0 0.0.0.0
  object network obj-0.0.0.0
  host 0.0.0.0
  object network obj_any-02
  subnet 0.0.0.0 0.0.0.0
  object network obj-10.10.10.1
  host 10.10.10.1
  object network obj_any-03
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-04
  subnet 0.0.0.0 0.0.0.0
  object network obj_any-05
  subnet 0.0.0.0 0.0.0.0
  object network NS1000_EXT
  host 80.4.146.133
  object network NS1000_INT
  host 192.168.20.1
  object network SIP_REGISTRAR
  host 83.245.6.81
  object service SIP_INIT_TCP
  service tcp destination eq sip
  object service SIP_INIT_UDP
  service udp destination eq sip
  object network NS1000_DSP
  host 192.168.20.2
  object network SIP_VOICE_CHANNEL
  host 83.245.6.82
  object service DSP_UDP
  service udp destination range 6000 40000
  object service DSP_TCP
  service tcp destination range 6000 40000
  object network 20_range_subnet
  subnet 192.168.20.0 255.255.255.0
  description Voice subnet
  object network 25_range_Subnet
  subnet 192.168.25.0 255.255.255.0
  description VLAN 25 client PC devices
  object-group network ISP_NAT
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service SIP_INIT tcp-udp
  port-object eq sip
  object-group service DSP_TCP_UDP tcp-udp
  port-object range 6000 40000
  access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.254.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object 20_range_subnet 192.168.254.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
  access-list Remote-VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list 100 extended permit object-group TCPUDP object SIP_REGISTRAR object NS1000_INT object-group SIP_INIT
  access-list 100 extended permit object-group TCPUDP object SIP_VOICE_CHANNEL object NS1000_DSP object-group DSP_TCP_UDP
  access-list 100 extended permit ip 62.255.171.0 255.255.255.224 any
  access-list 100 extended permit icmp any any echo-reply inactive
  access-list 100 extended permit icmp any any time-exceeded inactive
  access-list 100 extended permit icmp any any unreachable inactive
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp
  access-list 100 extended permit tcp any host 10.10.10.1 eq ftp-data
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  mtu management 1500
  ip local pool VPN-Pool 192.168.254.1-192.168.254.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  asdm history enable
  arp timeout 14400
  nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.5.0 obj-192.168.5.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp route-lookup
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0 no-proxy-arp route-lookup
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_TCP SIP_INIT_TCP
  nat (outside,inside) source static SIP_REGISTRAR SIP_REGISTRAR destination static interface NS1000_INT service SIP_INIT_UDP SIP_INIT_UDP
  object network obj_any
  nat (inside,outside) dynamic interface
  object network obj_any-01
  nat (inside,outside) dynamic obj-0.0.0.0
  object network obj_any-02
  nat (inside,DMZ) dynamic obj-0.0.0.0
  object network obj-10.10.10.1
  nat (DMZ,outside) static 80.4.146.134
  object network obj_any-03
  nat (DMZ,outside) dynamic obj-0.0.0.0
  object network obj_any-04
  nat (management,outside) dynamic obj-0.0.0.0
  object network obj_any-05
  nat (management,DMZ) dynamic obj-0.0.0.0
  access-group 100 in interface outside
  route outside 0.0.0.0 0.0.0.0 80.4.146.129 1
  route inside 192.168.20.0 255.255.255.0 192.168.10.254 1
  route inside 192.168.25.0 255.255.255.0 192.168.10.254 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.25.0 255.255.255.0 inside
  http 62.255.171.0 255.255.255.224 outside
  http 192.168.254.0 255.255.255.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=
  crl configure
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 2f0e024d
    quit
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    quit
  crypto isakmp identity address
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 management
  telnet timeout 5
  ssh 62.255.171.0 255.255.255.224 outside
  ssh 192.168.254.0 255.255.255.0 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.25.0 255.255.255.0 inside
  ssh timeout 5
  ssh version 2
  console timeout 0
  vpn-sessiondb max-other-vpn-limit 250
  vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.10.6 source inside prefer
  webvpn
  group-policy Remote-VPN internal
  group-policy Remote-VPN attributes
  wins-server value 192.168.10.21 192.168.10.22
  dns-server value 192.168.10.21 192.168.10.22
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Remote-VPN_splitTunnelAcl
  default-domain value
  username blank password blank encrypted privilege 0
  username blank attributes
  vpn-group-policy Remote-VPN
  username blank password encrypted privilege 0
  username blank attributes
    vpn-group-policy Remote-VPN
  tunnel-group Remote-VPN type remote-access
  tunnel-group Remote-VPN general-attributes
  address-pool VPN-Pool
  default-group-policy Remote-VPN
  tunnel-group Remote-VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect sip 
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  contact-email-addr
  profile CiscoTAC-1
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:b8263c5aa7a6a4d9cb08368c042ea236

  Your config was missing a no-nat between your "192.168.20.0" and "obj-192.168.254.0"
  So, if you look at your config there is a no-nat for inside subnet "obj-192.168.10.0" as shown below.
  nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.254.0 obj-192.168.254.0
  So all you have to do is create a no-nat for your second subnet, like I showed you before, the solution was already there on your config but I guess you over looked at it.
  I hope that helps.
  Thanks
  Rizwan Rafeek

• How do I block pings from the outside to the ASA 5505 outside interface?

  I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall.  I found a post that said to enter "icmp deny any outside", however that does not do it.
  I created an ACL to try and do the trick, also to no avail:
  access-list outside_in extended permit icmp any any echo-reply
  access-list outside_in in interface outside
  access-group outside_in in interface outside
  Anyone have a clue what I'm doing wrong?  I'm not the firewall guy as you can tell.  :/
  Thanks in advance...
  Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
  Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
  ASA5505(config)#icmp deny any outside
  You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

  You are allowing echo-reply, thus it will reply to a ping
  try this ACL:
  icmp deny any echo-reply outside
  From: 
  https://supportforums.cisco.com/thread/223769
  Eric

• Cisco ASA 5505 Site to Site VPN Problem

  Hi All,
  We have a site to site VPN with a cisco asa 5505 on one end and a Checkpoint firewall on the other end.
  We can establish the vpn tunnel and all users in the remote office are working great. However at a random point during the day or it may even be after 2 weeks of working, the tunnel between the sites automatically fails.
  When I dial into the modem which is connected to the firewall I see the following messages in the logs:
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x42314d8, mess id 0xa18dcb12)!
  Sep 14 2011 16:40:02: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:02: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, QM FSM error (P2 struct &0x426b988, mess id 0xf0160f94)!
  Sep 14 2011 16:40:14: %ASA-1-713900: Group = *.*.*.*, IP = *.*.*.*, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
  Sep 14 2011 16:40:14: %ASA-3-713902: Group = *.*.*.*, IP = *.*.*.*, Removing peer from correlator table failed, no match!
  There is nothing in the Checkpoint logs. To solve the issue I have to reload the firewall.
  I have checked both firewalls for any mis-matched parameters and do not see any.
  Any help is very much appreciated as it is very frustrating for myself and the users in the remote office.
  Thanks!

  Also to note, PFS is enabled on both firewalls. Config on Cisco ASA firewall as follows:
  hostname
  domain-name
  enable passwordpasswd names
  interface Vlan701
  nameif inside
  security-level 100
  ip address 10.65.0.69 255.255.255.252
  interface Vlan999
  nameif outside
  security-level 0
  ip address ******  255.255.255.248
  interface Ethernet0/0
  description Link to Internet
  switchport access vlan 999
  interface Ethernet0/1
  description
  switchport access vlan 701
  interface range Ethernet0/2 - 0/7
  switchport access vlan 2
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name******
  access-list 101 extended permit ip host ****** 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 host ******
  access-list 101 extended permit ip 10.65.0.64 255.255.255.192 ******* 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.25.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.28.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.26.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 172.16.0.0 255.248.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.72.0.0 255.255.0.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.224 10.68.2.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 10.151.10.0 255.255.255.0
  access-list nonat extended permit ip 10.65.0.64 255.255.255.192 ******** 255.255.255.0
  pager lines 24
  logging enable
  logging timestamp
  logging buffered warnings
  logging trap warnings
  logging asdm informational
  logging host outside *****
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list nonat
  route inside ******
  route outside 0.0.0.0 0.0.0.0 ********
  timeout xlate 0:05:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  snmp-server location **:
  snmp-server contact **
  snmp-server community shortkey
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  snmp-server enable traps syslog
  crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
  crypto map CASGMAP 50 match address 101
  crypto map CASGMAP 50 set pfs group1
  crypto map CASGMAP 50 set peer ********
  crypto map CASGMAP 50 set transform-set 3desmd5
  crypto map CASGMAP 50 set security-association lifetime seconds 3600
  crypto map CASGMAP interface outside
  crypto isakmp enable outside
  crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet **** inside
  telnet timeout 5
  ssh **** inside
  ssh **** outside
  ssh timeout 5
  console timeout 30
  management-access inside
  dhcpd ping_timeout 750
  priority-queue outside
  ntp server **
  username ***
  tunnel-group ******** type ipsec-l2l
  tunnel-group ******** ipsec-attributes
  pre-shared-key ***
  class-map VoIP
  match dscp ef
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map General-purpose
  class VoIP
  priority
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
  service-policy General-purpose interface outside
  prompt hostname context

• UNABLE TO ACCESS THE INTERNET FROM LOCAL PROVIDER ON A SITE-TO-SITE VPN CONNECTION

  Dear All,
  I have a site-to-site connection  from point A to point B. From point B i am unable to access the internet from local internet provider.
  I am trying to ping from 192.168.20.1 the dns 8.8.8.8   but i receive the  message "destination net unreachable".
  When i run "show ip nat translation" i receive nothing.
  The vpn connection is working properly, i can ping the other side 192.168.10/24
  Below is the configuration of the cisco router on point B.
  dot11 syslog
  ip source-route
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.21.254
  ip dhcp pool voice
   network 192.168.21.0 255.255.255.0
   default-router 192.168.21.254 
   option 150 ip 192.168.5.10 
  ip cef
  ip domain name neocleous.ru
  ip inspect name IOS_FIREWALL tcp
  ip inspect name IOS_FIREWALL udp
  ip inspect name IOS_FIREWALL icmp
  ip inspect name IOS_FIREWALL h323
  ip inspect name IOS_FIREWALL http
  ip inspect name IOS_FIREWALL https
  ip inspect name IOS_FIREWALL skinny
  ip inspect name IOS_FIREWALL sip
  no ipv6 cef
  multilink bundle-name authenticated
  vty-async
  isdn switch-type primary-net5
  redundancy
  crypto isakmp policy 5
   hash md5
   authentication pre-share
   group 2
  crypto isakmp policy 10
   encr aes
   authentication pre-share
   group 2
   lifetime 28800
  crypto isakmp policy 50
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key Pb85heuvMde9Wdac5Qohha7lziIf142u address [ip address]
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10
  crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac 
  crypto ipsec transform-set TRANSET2 esp-des esp-md5-hmac 
  crypto ipsec df-bit clear
  crypto map CryptoMAP1 ipsec-isakmp 
   set peer [ip address]
   set transform-set TRANSET 
   match address CryptoACL
  interface FastEthernet0/0
   description Primary Provider
   ip address [PUBLIC IP MAIN PROVIDER] 255.255.255.252
   ip access-group outside_acl in
   ip mtu 1390
   ip nat outside
   ip virtual-reassembly in
   load-interval 30
   duplex auto
   speed auto
   crypto map CryptoCY
   crypto ipsec df-bit clear
  interface FastEthernet0/1
   description TO LAN
   no ip address
   load-interval 30
   speed 100
   full-duplex
  interface FastEthernet0/1.1
   description DATA VLAN
   encapsulation dot1Q 20
   ip address 192.168.20.254 255.255.255.0
   ip access-group inside_acl in
   ip nat inside
   ip inspect IOS_FIREWALL in
   ip virtual-reassembly in
   ip tcp adjust-mss 1379
  interface FastEthernet0/1.2
   description VOICE VLAN
   encapsulation dot1Q 21
   ip address 192.168.21.254 255.255.255.0
  interface Serial0/2/0:15
   no ip address
   encapsulation hdlc
   isdn switch-type primary-net5
   isdn incoming-voice voice
   no cdp enable
  interface FastEthernet0/3/0
   no ip address
   ip access-group outside_acl in
   ip nat outside
   ip virtual-reassembly in
   shutdown
   duplex auto
   speed auto
   crypto map CryptoCY
  ip local pool VPNPool 192.168.23.2 192.168.23.10
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip nat inside source list nat_list interface FastEthernet0/3/0 overload
  ip route 0.0.0.0 0.0.0.0 [default gateway ip]
  ip access-list standard VTY
    permit 192.168.20.0 0.0.0.255
  ip access-list extended CryptoACL
   permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.5.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.6.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255
   permit ip 192.168.21.0 0.0.0.255 192.168.2.0 0.0.0.255
   permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
   permit ip host 192.168.22.1 192.168.5.0 0.0.0.255
   permit ip host 192.168.20.1 192.168.5.0 0.0.0.255
   permit ip host 192.168.22.1 192.168.6.0 0.0.0.255
  ip access-list extended DFBIT_acl
   permit tcp any any
  ip access-list extended inside_acl
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.35
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.39
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.23
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.18
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.55
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.144
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.146
   permit ip 192.168.20.0 0.0.0.255 host 192.168.10.141
   permit ip host 192.168.20.253 host 192.168.3.21
   permit ip host 192.168.20.254 host 192.168.3.21
   permit ip 192.168.20.0 0.0.0.255 host 192.168.3.10
   permit ip 192.168.20.0 0.0.0.255 host 192.168.20.254
  ip access-list extended nat_list
   deny   ip host 192.168.20.254 192.168.10.0 0.0.0.255
   deny   ip host 192.168.20.254 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.1 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.1 192.168.10.0 0.0.0.255
   deny   ip host 192.168.20.2 192.168.3.0 0.0.0.255
   deny   ip host 192.168.20.2 192.168.10.0 0.0.0.255
   permit ip host 192.168.20.1 any
   permit ip host 192.168.20.2 any
   permit ip host 192.168.20.254 any
  ip access-list extended outside_acl
   permit gre any host [ip address]
   permit esp any host [ip address]
   deny   ip any any
  ip sla 2
   icmp-echo 192.168.10.254 source-interface FastEthernet0/1.1
   frequency 180
   timeout 500
  ip sla schedule 2 life forever start-time now
  logging 192.168.3.21
  route-map DFBIT_routemap permit 10
   match ip address DFBIT_acl
   set ip df 0
  route-map ISP2 permit 10
   match ip address nat_list
   match interface FastEthernet0/3/0
  route-map nonat permit 10
   match ip address nonat_acl
  route-map ISP1 permit 10
   match ip address nat_list
   match interface FastEthernet0/0

  You cannot access internet, because all traffic is tunneled for VPN !!!!
  Please see cisco tech documentation and bypass traffic for internet.
  eg.  if lan traffic is going from site a to site b  then through vpn
        else
         lan traffic to internet (any) should be out thorugh the vpn .

• Unable to access the data from Data Management Gateway: Query timeout expired

  Hi,
  Since 2-3 days the data refresh is failing on our PowerBI site. I checked below:
  1. The gateway is in running status.
  2. Data source is also in ready status and test connection worked fine too.
  3. Below is the error in System Health -
  Failed to refresh the data source. An internal service error has occurred. Retry the operation at a later time. If the problem persists, contact Microsoft support for further assistance.        
  Error code: 4025
  4. Below is the error in Event Viewer.
  Unable to access the data from Data Management Gateway: Query timeout expired. Please check 1) whether the data source is available 2) whether the gateway on-premises service is running using Windows Event Logs.
  5. This is the correlational id for latest refresh failure
  is
  f9030dd8-af4c-4225-8674-50ce85a770d0
  6.
  Refresh History error is –
  Errors in the high-level relational engine. The following exception occurred while the managed IDataReader interface was being used: The operation has timed out. Errors in the high-level relational engine. The following exception occurred while the
  managed IDataReader interface was being used: Query timeout expired. 
  Any idea what could have went wrong suddenly, everything was working fine from last 1 month.
  Thanks,
  Richa

  Never mind, figured out there was a lock on SQL table which caused all the problems. Once I released the lock it PowerPivot refresh started working fine.
  Thanks.

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

  i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
  Cisco Asa 5505
  I
  Outside  == 155.155.155.x
  Inside  =      192.168.7.1
  VPN POOL Address =   10.10.10.1   -   10.10.10.20
  Layer 3 Switch Config
  Vlan 2
  interface ip address =  192.168.1.1
  Vlan 2
  interface ip address =  192.168.2.1
  Vlan 2
  interface ip address =  192.168.3.1
  Vlan 2
  interface ip address =  192.168.4.1
  Vlan 2
  interface ip address =  192.168.5.1
  ip Routing
  So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
  Thank You all

  When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
  But i can't reach the rest of the VLAN - example
  192.168.1.1
  192.168.1.2
  192.168.1.3
  192.168.1.4
  192.168.1.5
  But i can reach the Connected Interface Vlan to My ASA ..
  So here i think iam miss configuration to my Route
  Any Help Please this is urgent

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Cisco ASA 5505 Site to Site VPN

  Hello All,
  First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.
  I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind
  Please see details below:
  Both ADM are 7.1
  IOS
  ASA 1
  aved
  ASA Version 9.0(1)
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address 92.51.193.158 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network CIX_Subnet
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network NETWORK_OBJ_84.39.233.50
  host 84.39.233.50
  object network NETWORK_OBJ_92.51.193.158
  host 92.51.193.158
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address
  [email protected]
  logging recipient-address
  [email protected]
  level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  http 192.168.40.0 255.255.255.0 wireless
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 84.39.233.50
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 192.168.10.0 255.255.255.0 inside
  ssh 192.168.40.0 255.255.255.0 wireless
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password uYePLcrFadO9pBZx encrypted
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1
  ASA 2
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address 84.39.233.50 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network Eiresoft
  host 146.66.160.70
  description DBA Contractor
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_3
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_7
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in remark Access for Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 92.51.193.156 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 92.51.193.158
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 77.75.100.208 255.255.255.240 outside
  ssh 92.51.193.156 255.255.255.252 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
  : end

  Hi,
  Thanks for the help to date
  I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.
  See below the details:
  ASA1:
  hostname PAYBACK
  enable password HSMurh79NVmatjY0 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description Trunk link to SW1
  switchport trunk allowed vlan 1,10,20,30,40
  switchport trunk native vlan 1
  switchport mode trunk
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif outside
  security-level 0
  ip address XX.XX.XX.XX 255.255.255.252
  interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  interface Vlan20
  nameif servers
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  interface Vlan30
  nameif printers
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  interface Vlan40
  nameif wireless
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  banner login line Welcome to Payback Loyalty Systems
  boot system disk0:/asa901-k8.bin
  ftp mode passive
  clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns domain-lookup servers
  dns domain-lookup printers
  dns domain-lookup wireless
  dns server-group DefaultDNS
  name-server 83.147.160.2
  name-server 83.147.160.130
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network ftp_server
  object network Internal_Report_Server
  host 192.168.20.21
  description Automated Report Server Internal Address
  object network Report_Server
  host 89.234.126.9
  description Automated Report Server
  object service RDP
  service tcp destination eq 3389
  description RDP to Server
  object network Host_QA_Server
  host 89.234.126.10
  description QA Host External Address
  object network Internal_Host_QA
  host 192.168.20.22
  description Host of VM machine for QA
  object network Internal_QA_Web_Server
  host 192.168.20.23
  description Web Server in QA environment
  object network Web_Server_QA_VM
  host 89.234.126.11
  description Web server in QA environment
  object service SQL_Server
  service tcp destination eq 1433
  object network Demo_Server
  host 89.234.126.12
  description Server set up to Demo Product
  object network Internal_Demo_Server
  host 192.168.20.24
  description Internal IP Address of Demo Server
  object network NETWORK_OBJ_192.168.20.0_24
  subnet 192.168.20.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_26
  subnet 192.168.50.0 255.255.255.192
  object network NETWORK_OBJ_192.168.0.0_16
  subnet 192.168.0.0 255.255.0.0
  object service MSSQL
  service tcp destination eq 1434
  description MSSQL port
  object network VPN-network
  subnet 192.168.50.0 255.255.255.0
  object network NETWORK_OBJ_192.168.50.0_24
  subnet 192.168.50.0 255.255.255.0
  object service TS
  service tcp destination eq 4400
  object service TS_Return
  service tcp source eq 4400
  object network External_QA_3
  host 89.234.126.13
  object network Internal_QA_3
  host 192.168.20.25
  object network Dev_WebServer
  host 192.168.20.27
  object network External_Dev_Web
  host 89.234.126.14
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  description Wireless network
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object-group service DM_INLINE_SERVICE_1
  service-object tcp destination eq ftp
  service-object tcp destination eq netbios-ssn
  service-object tcp destination eq smtp
  service-object object TS
  service-object object SQL_Server
  object-group service DM_INLINE_SERVICE_3
  service-object tcp destination eq www
  service-object tcp destination eq https
  service-object object TS
  service-object object TS_Return
  object-group service DM_INLINE_SERVICE_4
  service-object object RDP
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group service DM_INLINE_SERVICE_5
  service-object object MSSQL
  service-object object RDP
  service-object object TS
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service DM_INLINE_SERVICE_6
  service-object object TS
  service-object object TS_Return
  service-object tcp destination eq www
  service-object tcp destination eq https
  object-group network DM_INLINE_NETWORK_1
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  object-group network Payback_Internal
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.20.0 255.255.255.0
  network-object 192.168.40.0 255.255.255.0
  access-list outside_access_in remark This rule is allowing from internet to interal server.
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark FTP
  access-list outside_access_in remark RDP
  access-list outside_access_in remark SMTP
  access-list outside_access_in remark Net Bios
  access-list outside_access_in remark SQL
  access-list outside_access_in remark TS - 4400
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
  access-list outside_access_in remark Access rule to internal host QA
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
  access-list outside_access_in remark Access to INternal Web Server:
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark HTTP
  access-list outside_access_in remark RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
  access-list outside_access_in remark Rule for allowing access to Demo server
  access-list outside_access_in remark Allowed:
  access-list outside_access_in remark RDP
  access-list outside_access_in remark MSSQL
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
  access-list outside_access_in remark Access for Development WebServer
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console informational
  logging asdm informational
  logging from-address [email protected]
  logging recipient-address [email protected] level alerts
  mtu outside 1500
  mtu inside 1500
  mtu servers 1500
  mtu printers 1500
  mtu wireless 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-711-52.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
  nat (inside,outside) source dynamic any interface
  nat (wireless,outside) source dynamic any interface
  nat (servers,outside) source dynamic any interface
  nat (servers,outside) source static Internal_Report_Server Report_Server
  nat (servers,outside) source static Internal_Host_QA Host_QA_Server
  nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
  nat (servers,outside) source static Internal_Demo_Server Demo_Server
  nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
  nat (servers,outside) source static Internal_QA_3 External_QA_3
  nat (servers,outside) source static Dev_WebServer External_Dev_Web
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer XX.XX.XX.XX
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map servers_map interface servers
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 enable inside client-services port 443
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  crypto ikev1 enable servers
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.10.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.168.0.1
  dhcpd auto_config outside
  dhcpd address 192.168.10.21-192.168.10.240 inside
  dhcpd dns 192.168.20.21 83.147.160.2 interface inside
  dhcpd option 15 ascii paybackloyalty.com interface inside
  dhcpd enable inside
  dhcpd address 192.168.40.21-192.168.40.240 wireless
  dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
  dhcpd update dns interface wireless
  dhcpd option 15 ascii paybackloyalty.com interface wireless
  dhcpd enable wireless
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy Payback_VPN internal
  group-policy Payback_VPN attributes
  vpn-simultaneous-logins 10
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Payback_VPN_splitTunnelAcl
  group-policy DfltGrpPolicy attributes
  dns-server value 83.147.160.2 83.147.160.130
  vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
  group-policy GroupPolicy_84.39.233.50 internal
  group-policy GroupPolicy_84.39.233.50 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username Noelle password XB/IpvYaATP.2QYm encrypted
  username Noelle attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
  username Eanna attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Michael password qpbleUqUEchRrgQX encrypted
  username Michael attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
  username Danny attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username niamh password MlFlIlEiy8vismE0 encrypted
  username niamh attributes
  service-type admin
  username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
  username Aileen attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
  username Aidan attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  username shane.c password iqGMoWOnfO6YKXbw encrypted
  username shane.c attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Shane password yQeVtvLLKqapoUje encrypted privilege 0
  username Shane attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username James password TdYPv1pvld/hPM0d encrypted
  username James attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username mark password yruxpddqfyNb.qFn encrypted
  username mark attributes
  service-type admin
  username Mary password XND5FTEiyu1L1zFD encrypted
  username Mary attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
  username Massimo attributes
  vpn-group-policy Payback_VPN
  service-type remote-access
  tunnel-group Payback_VPN type remote-access
  tunnel-group Payback_VPN general-attributes
  address-pool VPN1
  default-group-policy Payback_VPN
  tunnel-group Payback_VPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 84.39.233.50 type ipsec-l2l
  tunnel-group 84.39.233.50 general-attributes
  default-group-policy GroupPolicy_84.39.233.50
  tunnel-group 84.39.233.50 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map global-class
  match default-inspection-traffic
  policy-map global-policy
  class global-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip
    inspect snmp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect icmp error
    inspect icmp
  service-policy global-policy global
  smtp-server 192.168.20.21
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:83fa7ce1d93375645205f6e79b526381
  ASA2:
  ASA Version 9.0(1)
  hostname Payback-CIX
  enable password HSMurh79NVmatjY0 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  speed 100
  duplex full
  interface Ethernet0/1
  description This port connects to VLAN 100
  switchport access vlan 100
  interface Ethernet0/2
  interface Ethernet0/3
  switchport access vlan 100
  interface Ethernet0/4
  switchport access vlan 100
  interface Ethernet0/5
  switchport access vlan 100
  interface Ethernet0/6
  switchport access vlan 100
  interface Ethernet0/7
  switchport access vlan 100
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.X 255.255.255.240
  interface Vlan100
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  banner login line Welcome to Payback Loyalty - CIX
  ftp mode passive
  clock timezone GMT 0
  clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup outside
  dns domain-lookup inside
  dns server-group defaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network CIX-Host-1
  host 192.168.100.2
  description This is the host machine of the VM servers
  object network External_CIX-Host-1
  host 84.39.233.51
  description This is the external IP address of the host server for the VM server
  object service RDP
  service tcp source range 1 65535 destination eq 3389
  object network Payback_Office
  host 92.51.193.158
  object service MSQL
  service tcp destination eq 1433
  object network Development_OLTP
  host 192.168.100.10
  description VM for Eiresoft
  object network External_Development_OLTP
  host 84.39.233.52
  description This is the external IP address for the VM for Eiresoft
  object network External_TMC_Web
  host 84.39.233.53
  description Public Address of TMC Webserver
  object network TMC_Webserver
  host 192.168.100.19
  description Internal Address of TMC Webserver
  object network External_TMC_OLTP
  host 84.39.233.54
  description Targets OLTP external IP
  object network TMC_OLTP
  host 192.168.100.18
  description Targets interal IP address
  object network External_OLTP_Failover
  host 84.39.233.55
  description Public IP of OLTP Failover
  object network OLTP_Failover
  host 192.168.100.60
  description Server for OLTP failover
  object network Servers
  subnet 192.168.20.0 255.255.255.0
  object network Wired
  subnet 192.168.10.0 255.255.255.0
  object network Wireless
  subnet 192.168.40.0 255.255.255.0
  object network NETWORK_OBJ_192.168.100.0_24
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
  object network Eiresoft_2nd
  host 137.117.217.29
  description Eiresoft 2nd IP
  object network Dev_Test_Webserver
  host 192.168.100.12
  description Dev Test Webserver Internal Address
  object network External_Dev_Test_Webserver
  host 84.39.233.56
  description This is the PB Dev Test Webserver
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network LAN
  subnet 192.168.100.0 255.255.255.0
  object network REMOTE-LAN
  subnet 192.168.10.0 255.255.255.0
  object network TargetMC
  host 83.71.194.145
  description This is Target Location that will be accessing the Webserver
  object network Rackspace_OLTP
  host 162.13.34.56
  description This is the IP address of production OLTP
  object service DB
  service tcp destination eq 5022
  object network Topaz_Target_VM
  host 82.198.151.168
  description This is Topaz IP that will be accessing Targets VM
  object service DB_2
  service tcp destination eq 5023
  object network EireSoft_NEW_IP
  host 146.66.161.3
  description Eiresoft latest IP form ISP DHCP
  object-group service DM_INLINE_SERVICE_1
  service-object object MSQL
  service-object object RDP
  service-object icmp echo
  service-object icmp echo-reply
  object-group service DM_INLINE_SERVICE_2
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_4
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object tcp destination eq www
  object-group service DM_INLINE_SERVICE_5
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_6
  service-object object MSQL
  service-object object RDP
  object-group network Payback_Intrernal
  network-object object Servers
  network-object object Wired
  network-object object Wireless
  object-group service DM_INLINE_SERVICE_8
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_9
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_10
  service-object object MSQL
  service-object object RDP
  service-object tcp destination eq ftp
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  object-group service DM_INLINE_SERVICE_11
  service-object object RDP
  service-object tcp destination eq ftp
  object-group service DM_INLINE_SERVICE_12
  service-object object MSQL
  service-object icmp echo
  service-object icmp echo-reply
  service-object object DB
  service-object object DB_2
  object-group service DM_INLINE_SERVICE_13
  service-object object MSQL
  service-object object RDP
  object-group service DM_INLINE_SERVICE_14
  service-object object MSQL
  service-object object RDP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
  access-list outside_access_in remark Development OLTP from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
  access-list outside_access_in remark Access to OLTP for target from Payback Office
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
  access-list outside_access_in remark Access for the 2nd IP from Eiresoft
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
  access-list outside_access_in remark Access from the 2nd Eiresoft IP
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
  access-list outside_access_in remark Access rules from Traget to CIX for testing
  access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
  access-list outside_access_in remark Topaz access to Target VM
  access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
  access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
  access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
  access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
  access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
  access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
  pager lines 24
  logging enable
  logging console debugging
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
  nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
  nat (inside,outside) source static Development_OLTP External_Development_OLTP
  nat (inside,outside) source static TMC_Webserver External_TMC_Web
  nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
  nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
  nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
  nat (inside,outside) source dynamic LAN interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http X.X.X.X 255.255.255.252 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer X.X.X.X
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh X.X.X.X  255.255.255.240 outside
  ssh X.X.X.X 255.255.255.252 outside
  ssh 192.168.40.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  group-policy GroupPolicy_92.51.193.158 internal
  group-policy GroupPolicy_92.51.193.158 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
  tunnel-group 92.51.193.158 type ipsec-l2l
  tunnel-group 92.51.193.158 general-attributes
  default-group-policy GroupPolicy_92.51.193.158
  tunnel-group 92.51.193.158 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

• VPN PROBLEM CISCO ASA 5505

      Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
       I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
       Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
       The running-config it created is:
  ciscoasa# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ciscoasa
  enable password XXXX encrypted
  passwd XXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.1.254 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ADSL_Telefonica
  ip address pppoe setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.0.0_16
  subnet 172.16.0.0 255.255.0.0
  access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.16.0.0 255.255.0.0 inside
  telnet timeout 55
  ssh 172.16.0.0 255.255.0.0 inside
  ssh timeout 55
  console timeout 0
  vpdn group ADSL_Telefonica request dialout pppoe
  vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
  vpdn group ADSL_Telefonica ppp authentication pap
  vpdn username adslppp@telefonicanetpa password *****
  dhcpd auto_config outside
  dhcpd address 172.16.2.2-172.16.2.129 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy test internal
  group-policy test attributes
  dns-server value 172.16.1.1
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test_splitTunnelAcl
  username test password XXXXXX encrypted privilege 0
  username test attributes
  vpn-group-policy test
  username ignacio password XXXXXXX encrypted
  tunnel-group test type remote-access
  tunnel-group test general-attributes
  address-pool test
  default-group-policy test
  tunnel-group test ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
  : end
  Thank you very much for your help

  Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
  • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
  I should have read Release Notes before. Thank you very much for your help and effort.

• Cisco ASA 5505 - Can't Login from Public & Local IP Anymore!

  Hello,
  We've a Cisco ASA 5505 connected directly to Verizon FiOS Circuit (ONT) box using Ethernet cable. As per the existing documention that I have, the previous configured this as a dedicated router to establish a seperate VPN connection our software provider. They assigned both Public Static and Local Static IP address. When I try to ping the public IP address, it says request time out; so the public IP address is no longer working.
  When I ping the local IP address of 192.168.100.11, it responds. The SolarWind tool also shows Always UP signal. How can I login into this router either from remotely or locally to check the configuration, backup and do the fimrware upgrade?
  I also tried to connect my laptop directly to the ASA 5505 router LAN port. After 3 minutes, I'm able to connect to Internet without any issues. However I don't know the IP address to use to login.
  Any advice would be greatly appreciated. Thank you.
  UPDATE: I'm able to find the way! I need to use https to login! I'm able to download ASDM tool and login! Thanks to these resources:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
  http://cyruslab.wordpress.com/2010/09/09/how-to-download-asdm-from-asa5505-and-install-it/

  Hi Srinath,
  If that ASA5505 has factory-default configuration on it , then it probably has 192.168.1.1 ip address on the LAN side and has got dhcp server turned on to provide you ip address dynamically the moment you hook up a machine to it directly or through a switch.
  If you've access to ASDM.
  You can go the Configuration Tab>>Device Management>>Device Access and turn on the SSH & Telnet from the LAN interface because by default only HTTPS/ASDM is enabled on LAN interface.
  You will still need to generate crypto keys and create a username in order to get ssh working
  For this you can click at the TOP at TOOLS>> Command Line Interface.
  And in the box below type this
  crypto key generate rsa modulus 1024
  add a username
  username <> password <> priv 15
  and enable aaa authentication for ssh like this
  aaa authentication ssh console LOCAL
  Let me know if this helps.
  Puneet

• Cisco ASA 5505 not able to access flash

  Hi All:
  I have searched and searched all over the net for an answer to this question and have decided to just post it. I have a 5505 that was given to me by my job to use for working on my CCNA Sec. cert and did the following:
  I plugged it in and booted it up just fine. Made config changes as I followed along with the examples in my CCNA Security book. Got to the point in chapter 14 where the initial setup happens to configure it for working with ASDM. I never did a write mem on it and decided to take it back to square one by unplugging it to allow it to lose the changes that I made. This is where things got ugly.
  When it booted back up it got stuck in a bootup loop and couldn't find an IOS. After following all kinds of steps to boot to rommon and tftp another IOS and such (several times) I decided to follow another posting that said that the flash could be corrupted and to just delete it and start anew. Did that and through rommon as it would not boot up normally any more. After trying this over and over for the last couple hours I realized that it would boot from tftp so I did that in hopes of fixing the flash issue.
  I've tried deleting it, and re-initializing it and formating it. But the thing is that it no longer SEES the disk0: mount point. I've used two different flash cards...the one that came with it and the one that I already had. With the cover off I can see that there is no activity light next to the flash drive when I issue a delete or initialize or format command.
  Here is a copy of some of the output file. Any help or suggestions are greatly appreciated.
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Please set ADDRESS Variable.
  Please set SERVER Variable.
  Please set IMAGE Variable.
  Launching BootLoader...
  Default configuration file contains 1 entry.
  Boot mode is 1. Default entry is 1.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  Failsafe booting engaged.
  Default configuration file contains 1 entry.
  Searching / for images to boot.
  No images in /
  Error 15: File not found
  unable to boot an image
  CISCO SYSTEMS
  Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
  Low Memory: 632 KB
  High Memory: 507 MB
  PCI Device Table.
  Bus Dev Func VendID DevID Class              Irq
  00  01  00   1022   2080  Host Bridge       
  00  01  02   1022   2082  Chipset En/Decrypt 11
  00  0C  00   1148   4320  Ethernet           11
  00  0D  00   177D   0003  Network En/Decrypt 10
  00  0F  00   1022   2090  ISA Bridge        
  00  0F  02   1022   2092  IDE Controller    
  00  0F  03   1022   2093  Audio              10
  00  0F  04   1022   2094  Serial Bus         9
  00  0F  05   1022   2095  Serial Bus         9
  Evaluating BIOS Options ...
  Launch BIOS Extension to setup ROMMON
  Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May  1 14:50:05 PDT 2008
  Platform ASA5505
  Use BREAK or ESC to interrupt boot.
  Use SPACE to begin boot immediately.
  Boot interrupted.                              
  Ethernet0/0
  MAC Address: 0023.339e.2a91
  Link is UP
  Use ? for help.
  rommon #0> format disk0:
  Invalid or incorrect command.  Use 'help' for help.
  rommon #0> ADDRESS=10.10.10.110
  rommon #1> GATEWAY=10.10.10.1
  rommon #2> SERVER=10.10.10.98
  rommon #3> IMAGE=asa914-k8.bin
  rommon #4> tftp
  ROMMON Variable Settings:
    ADDRESS=10.10.10.110
    SERVER=10.10.10.98
    GATEWAY=10.10.10.1
    PORT=Ethernet0/0
    VLAN=untagged
    IMAGE=asa914-k8.bin
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=20
  tftp [email protected] via 10.10.10.1
  Received 27076608 bytes
  Launching TFTP Image...
  Cisco Security Appliance admin loader (3.0) #0: Thu Dec  5 19:38:43 PST 2013
  Platform ASA5505
  Loading...
  IO memory blocks requested from bigphys 32bit: 9956
  Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
  Currently, only 1 or 2 FATs are supported, not 42.
  dosfsck(/dev/hda1) returned 1
  mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
  mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
  Processor memory 343932928, Reserved memory: 62914560
  Total SSMs found: 0
  Total NICs found: 10
  88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
  88E6095 rev 2 Ethernet @ index 08 MAC: 0023.339e.2a90
  88E6095 rev 2 Ethernet @ index 07 MAC: 0023.339e.2a8f
  88E6095 rev 2 Ethernet @ index 06 MAC: 0023.339e.2a8e
  88E6095 rev 2 Ethernet @ index 05 MAC: 0023.339e.2a8d
  88E6095 rev 2 Ethernet @ index 04 MAC: 0023.339e.2a8c
  88E6095 rev 2 Ethernet @ index 03 MAC: 0023.339e.2a8b
  88E6095 rev 2 Ethernet @ index 02 MAC: 0023.339e.2a8a
  88E6095 rev 2 Ethernet @ index 01 MAC: 0023.339e.2a89
  y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0023.339e.2a91
  INFO: Unable to read firewall mode from flash
         Writing default firewall mode (single) to flash
  INFO: Unable to read cluster interface-mode from flash
         Writing default mode "None" to flash
  Verify the activation-key, it might take a while...
  Failed to retrieve permanent activation key.
  Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
  The Running Activation Key is not valid, using default settings:
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 10             perpetual
  Failover                          : Disabled       perpetual
  Encryption-DES                    : Enabled        perpetual
  Encryption-3DES-AES               : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 12             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  Cluster                           : Disabled       perpetual
  This platform has a Base license.
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode        : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                               IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
  Cisco Adaptive Security Appliance Software Version 9.1(4)
    ****************************** Warning *******************************
    This product contains cryptographic features and is
    subject to United States and local country laws
    governing, import, export, transfer, and use.
    Delivery of Cisco cryptographic products does not
    imply third-party authority to import, export,
    distribute, or use encryption. Importers, exporters,
    distributors and users are responsible for compliance
    with U.S. and local country laws. By using this
    product you agree to comply with applicable laws and
    regulations. If you are unable to comply with U.S.
    and local laws, return the enclosed items immediately.
    A summary of U.S. laws governing Cisco cryptographic
    products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by
    sending email to [email protected].
    ******************************* Warning *******************************
  This product includes software developed by the OpenSSL Project
  for use in the OpenSSL Toolkit (http://www.openssl.org/)
  Copyright (C) 1995-1998 Eric Young ([email protected])
  All rights reserved.
  Copyright (c) 1998-2011 The OpenSSL Project.
  All rights reserved.
  This product includes software developed at the University of
  California, Irvine for use in the DAV Explorer project
  (http://www.ics.uci.edu/~webdav/)
  Copyright (c) 1999-2005 Regents of the University of California.
  All rights reserved.
  Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  Busybox comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  59 Temple Place, Suite 330, Boston, MA 02111-1307
  675 Mass Ave, Cambridge, MA 02139
  DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  59 Temple Place, Suite 330, Boston, MA 02111-1307
  grub comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
  libgcc comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenseSee User Manual (''Licensing'') for details.
  libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
  libstdc++ comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
  Foundation, Inc.
  51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  Linux kernel comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
  Foundation, Inc.
  59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  module-init-tools comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  numactl, version 2.0.3, Copyright (C) 2008 SGI.
  Author: Andi Kleen, SUSE Labs
  Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
  numactl comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  pciutils comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  59 Temple Place, Suite 330, Boston, MA 02111 USA
  readline comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
  51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  udev comes with ABSOLUTELY NO WARRANTY.
  This is free software, and you are welcome to redistribute it under the General
  Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
  See User Manual (''Licensing'') for details.
  Cisco Adapative Security Appliance Software, version 9.1,
  Copyright (c) 1996-2013 by Cisco Systems, Inc.
  Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
  Lesser Public License (LGPL) Version 2.1.  The software code licensed under LGPL
  Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY.  You can
  redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
  (http://www.gnu.org/licenses/lgpl-2.1.html).  See User Manual for licensing
  details.
                  Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
                  Cisco Systems, Inc.
                  170 West Tasman Drive
                  San Jose, California 95134-1706
  Insufficient flash space available for this request:
    Size info: request:32 free:0  delta:32
  Could not initialize system files in flash.
  config_fetcher: channel open failed
  ERROR: MIGRATION - Could not get the startup configuration.
  INFO: Power-On Self-Test in process.
  INFO: Power-On Self-Test complete.
  INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200804300128.log'
  Pre-configure Firewall now through interactive prompts [yes]? n
  Type help or '?' for a list of available commands.
  ciscoasa> en
  Password:
  ciscoasa# format disk0:
  Format operation may take a while. Continue? [confirm]
  Format operation will destroy all data in "disk0:".  Continue? [confirm]
  Initializing partition - done!
  Creating FAT16 filesystem
  mkdosfs 2.11 (12 Mar 2005)
  System tables written to disk
  Format of disk0 complete
  ciscoasa# format disk:
                   ^
  ERROR: % Invalid input detected at '^' marker.
  ciscoasa# format flash:
  Format operation may take a while. Continue? [confirm]
  Format operation will destroy all data in "flash:".  Continue? [confirm]
  Initializing partition - done!

  Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
  ciscoasa#
  ciscoasa#
  ciscoasa#
  ciscoasa# sh flash
  --#--  --length--  -----date/time------  path
  2403  0           Apr 30 2008 02:00:56  test
  2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
  2283  0           Apr 30 2008 01:28:20  coredumpinfo
  2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
  2280  0           Apr 30 2008 01:27:56  crypto_archive
  2267  0           Apr 30 2008 01:27:38  log
  0 bytes total (0 bytes free)
  ciscoasa#
  ciscoasa#
  ciscoasa#
  ciscoasa# sh disk0
  --#--  --length--  -----date/time------  path
  2403  0           Apr 30 2008 02:00:56  test
  2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
  2283  0           Apr 30 2008 01:28:20  coredumpinfo
  2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
  2280  0           Apr 30 2008 01:27:56  crypto_archive
  2267  0           Apr 30 2008 01:27:38  log
  0 bytes total (0 bytes free)
  ciscoasa#