Unable to establish site to site vpn between asa 5505 an 5510
Hi ALL expert
We are now plan to form a site to site IPSec VPN tunnel between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failure, would you please teach me how to establish it? Any reference guide?
Hugo
Here are the links to the cisco config-guides:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html
In addition to VPN you need to look into NAT exemption:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043541
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wpxref25608
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html#wp1232160
And lots of examples:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Similar Messages
-
Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/3
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/4
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/5
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/6
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/7
switchport access vlan 250
interface Vlan2
nameif outside
security-level 0
ip address 81.XXX.XXX.XXX 255.255.255.252
interface Vlan3
nameif OUTSIDE_BACK
security-level 0
ip address 41.XXX.XXX.XXX 255.255.255.248
interface Vlan20
nameif XXX
security-level 80
ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
interface Vlan21
nameif XXX
security-level 90
ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
interface Vlan24
nameif XXX
security-level 80
ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
interface Vlan28
nameif XXX
security-level 80
ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
interface Vlan212
nameif SELF
security-level 80
ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
interface Vlan213
nameif XXX
security-level 80
ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
interface Vlan214
nameif BIOFR
security-level 80
ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
interface Vlan232
nameif MNGT
security-level 80
ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
interface Vlan233
nameif XXX
security-level 80
ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
interface Vlan234
nameif XXX
security-level 80
ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
interface Vlan235
nameif XX
security-level 80
ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
interface Vlan236
nameif XXX
security-level 80
ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
interface Vlan250
description LAN Failover Interface
interface Vlan254
nameif TEST
security-level 80
ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
interface Vlan255
nameif XXX
security-level 100
ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXX
subnet 10.143.14.0 255.255.255.0
object network XXX
subnet 10.143.35.0 255.255.255.0
object network XXX
subnet 10.143.1.0 255.255.255.0
object network MGMT
subnet 10.143.32.0 255.255.255.0
object network XXX
subnet 10.143.36.0 255.255.255.0
object network XXX
subnet 10.143.4.0 255.255.252.0
object network XXX
subnet 10.143.33.0 255.255.255.0
object network ACCT
subnet 10.143.34.0 255.255.255.0
object network XXX
subnet 10.143.0.0 255.255.255.0
object network XXX
subnet 10.143.8.0 255.255.255.0
object network XXX
subnet 10.143.12.0 255.255.255.0
object network XXX
subnet 10.143.37.0 255.255.255.0
object network TEST
subnet 10.143.254.0 255.255.255.0
object network XXX
subnet 10.143.255.0 255.255.255.0
object network NETWORK_OBJ_10.143.0.0_16
subnet 10.143.0.0 255.255.0.0
object network NETWORK_OBJ_10.91.0.0_16
subnet 10.91.0.0 255.255.0.0
object-group network vpn-local-network
network-object 10.143.14.0 255.255.255.0
network-object 10.143.35.0 255.255.255.0
network-object 10.143.1.0 255.255.255.0
network-object 10.143.32.0 255.255.255.0
network-object 10.143.36.0 255.255.255.0
network-object 10.143.4.0 255.255.255.0
network-object 10.143.33.0 255.255.255.0
network-object 10.143.34.0 255.255.255.0
object-group network vpn-remote-network
network-object 10.112.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list PING extended permit icmp any any
access-list PING extended permit icmp any any object-group ALLOW_PING
pager lines 24
logging asdm informational
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
no monitor-interface outside
no monitor-interface OUTSIDE_BACK
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XX interface
nat(IT,outside) source dynamic IT interface
nat (TEST,outside) source dynamic TEST interface
nat ( IT,outside) source dynamic IT interface
nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
access-group PING in interface outside
access-group PING in interface OUTSIDE_BACK
route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
sysopt connection preserve-vpn-flows
sla monitor 123
type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 194.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST 1 set security-association lifetime seconds 86400
crypto map TEST 1 set security-association lifetime kilobytes 2147483647
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.143.255.0 255.255.255.0 IT
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access IT
dhcpd lease 60000
dhcpd ping_timeout 20
dhcpd domain tls.ad
dhcpd auto_config outside
dhcpd address 10.143.4.10-10.143.4.200 XXX
dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
dhcpd option 3 ip 10.143.4.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.12.10-10.143.12.200 XXX
dhcpd option 3 ip 10.143.12.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.14.10-10.143.14.200 XXX
dhcpd option 3 ip 10.143.14.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.32.10-10.143.32.100 MNGT
dhcpd option 3 ip 10.143.32.1 interface MNGT
dhcpd enable MNGT
dhcpd address 10.143.33.10-10.143.33.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.34.10-10.143.34.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.36.10-10.143.36.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.255.10-10.143.255.200 XXX
dhcpd option 3 ip 10.143.255.1 interface XXX
dhcpd enable IT
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.90.0.34
ntp server 10.91.0.34
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username tlsnimda password OW03yrp6/wvkyg6E encrypted
tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
tunnel-group 194.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
class-map icmp
match default-inspection-traffic
policy-map icmppolicy
class icmp
inspect icmp
service-policy icmppolicy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e820e629c3cbaf67478c065440ac8138
VPN is up but not passing any traffing
Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
current_peer: 194.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 10
local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CC4FACB7
current inbound spi : D8C0AC76
inbound esp sas:
spi: 0xD8C0AC76 (3636505718)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCC4FACB7 (3427773623)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
VPN is unstable
Connection terminated for peer 194.XXX.XXX.XX. Reason: Peer Terminate Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
I cannot pass any traffic through the vpn when it's UP, or ping the other side.
ASA VERSION 9.2I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.
-
Site to Site VPN between ASA 5505 and Cisco 800 router
Evening all,
Hoping that someboy can see the error of my ways. It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300
We have a cisco 800 in a remote site which we wanted to use for a site to site vpn. Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected. Getting traffic through it is another matter. Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192....... Both the ASA and 800 report the tunnel is up. If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back. I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA. Here is the config from the 800:
Building configuration...
Current configuration : 6488 bytes
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname hhp-sty-backup
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local
aaa session-id common
crypto pki trustpoint TP-self-signed-1347488939
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1347488939
revocation-check none
rsakeypair TP-self-signed-1347488939
crypto pki certificate chain TP-self-signed-1347488939
certificate self-signed 02
30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734
38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7
0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513
D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046
4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA
8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61
696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A
0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F
5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7
789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432
66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6
C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF
447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp pool inside
ip dhcp pool lan_network
network 172.20.224.0 255.255.240.0
dns-server 8.8.8.8 8.8.4.4
default-router 172.20.224.1
lease 7
ip cef
no ip domain lookup
ip domain name yourdomain.com
password encryption aes
username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1
username admin privilege 15 password 0 434Zaty
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 217.36.32.222
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.36.32.222
set peer 217.36.32.222
set transform-set ESP-3DES-SHA
match address 100
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.20.224.1 255.255.240.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname B6*******.btclick.com
ppp chap password 0 H*******
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 172.4.0.0 0.240.255.255
access-list 10 permit 195.12.1.35
access-list 10 permit 172.4.0.0 0.240.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
access-list 101 permit ip 172.4.0.0 0.240.255.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
password 434Zaty
transport input telnet ssh
scheduler max-task-time 5000
end
Any help will be most gratefully recieved.Rick,
Thanks for replying. Here is the output from the 800 Show Crypto command:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
protected vrf: (none)
local ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
current_peer 217.36.32.222 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and this is the running config frm our ASA at HQ:
Result of the command: "sh run"
: Saved
ASA Version 8.2(1)
hostname secure-access
domain-name hhp.com
enable password UWWykvGjAPmxufUo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BT
ip address 217.36.32.222 255.255.255.255 pppoe
interface Vlan12
nameif DMZ
security-level 50
ip address 192.168.169.1 255.255.255.0
interface Vlan22
nameif Wireless_HHP
security-level 100
ip address 172.16.36.1 255.255.254.0
interface Vlan32
nameif CNES
security-level 100
ip address 187.187.168.1 255.255.0.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 12
interface Ethernet0/3
switchport access vlan 22
interface Ethernet0/4
switchport access vlan 32
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
switchport access vlan 12
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns domain-lookup Wireless_HHP
dns domain-lookup CNES
dns server-group DefaultDNS
name-server 192.168.168.2
domain-name hhp.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network NET-cnes_HHP-Sty
network-object 172.20.224.0 255.255.240.0
object-group network NET-cnes_HHP-Balivanich
network-object 172.20.192.0 255.255.240.0
object-group network Oak-DC1
network-object 192.168.168.2 255.255.255.255
object-group network Maple-DC2
network-object 192.168.168.3 255.255.255.255
object-group network HHP_Domain_Controllers
group-object Oak-DC1
group-object Maple-DC2
object-group network PC-Support
network-object 187.187.60.1 255.255.255.255
network-object 187.187.60.2 255.255.255.254
network-object 187.187.60.4 255.255.255.254
network-object 187.187.60.6 255.255.255.255
object-group network ELM-ActiveH
network-object 192.168.168.6 255.255.255.255
object-group network Pine-GP
network-object 192.168.168.12 255.255.255.255
object-group network HHP_Application_Servers
group-object ELM-ActiveH
group-object Pine-GP
object-group network Fern-TS1
network-object 192.168.168.4 255.255.255.255
object-group network Fir-TS2
network-object 192.168.168.5 255.255.255.255
object-group network HHP_Terminal_Servers
group-object Fern-TS1
group-object Fir-TS2
object-group service Global_Catalog_LDAP
description (Generated by Cisco SM from Object "Global Catalog LDAP")
service-object tcp eq 3268
object-group service Global_Catalog_LDAP_SSL
description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
service-object tcp eq 3269
object-group service UDP-389
description UDP port for LDAP
service-object udp eq 389
object-group service TCP-88
description TCP Port 88
service-object tcp eq 88
object-group service TCP-445
description SMB
service-object tcp eq 445
object-group network John_-_Laptop
description John's Laptop
network-object 187.187.10.65 255.255.255.255
object-group network Graham_-_PC
description Graham Morrison's PC
network-object 187.187.10.90 255.255.255.255
object-group network john_test
network-object 187.187.40.7 255.255.255.255
object-group network Iain_PC
description Iain Macaulay IT
network-object 187.187.10.19 255.255.255.255
object-group network John_-_PC
description John MacPhail's PC
network-object 187.187.10.7 255.255.255.255
object-group network it-alahen-lap
network-object 187.187.10.230 255.255.255.255
object-group network Catriona_-_Laptop
description Catriona's Laptop
network-object 187.187.10.60 255.255.255.255
object-group network Graham_-_Laptop
network-object 187.186.10.120 255.255.255.255
object-group network it-innive-xp
description Innes MacIver's PC
network-object 187.187.10.14 255.255.255.255
object-group network it-alahen-xp
description Desktop
network-object 187.187.10.229 255.255.255.255
object-group network Cat_-_PC
description Catriona Macmillan's PC
network-object 187.187.10.4 255.255.255.255
object-group network it-davdon-xp
description Desktop
network-object 187.187.160.7 255.255.255.255
object-group network cat-laptop
description Catriona's Laptop addresses
network-object 187.187.77.81 255.255.255.255
network-object 187.187.77.82 255.255.255.255
object-group network Catriona_old_pc
network-object 187.187.10.44 255.255.255.255
object-group network cat-tablet
description Catriona's Tablet ip address's
network-object 187.187.77.78 255.255.255.254
object-group network DSO-SQLServer
description Task Database Server
network-object 187.187.1.33 255.255.255.255
object-group network it-finfernew-xp
description Findlay Ferguson PC
network-object 187.187.10.153 255.255.255.255
object-group network PC_Support
group-object John_-_Laptop
group-object Graham_-_PC
group-object john_test
group-object Iain_PC
group-object John_-_PC
group-object it-alahen-lap
group-object Catriona_-_Laptop
group-object Graham_-_Laptop
group-object it-alahen-xp
group-object Cat_-_PC
group-object it-davdon-xp
group-object cat-laptop
group-object Catriona_old_pc
group-object cat-tablet
group-object it-innive-xp
network-object 187.187.1.128 255.255.255.255
network-object 187.187.10.76 255.255.255.255
group-object DSO-SQLServer
network-object 187.187.15.234 255.255.255.255
network-object 187.187.4.60 255.255.255.255
network-object 187.187.10.134 255.255.255.255
network-object 172.18.194.22 255.255.255.255
group-object it-finfernew-xp
object-group network Entire_CNE
description Entire CNE range
network-object 187.0.0.0 255.0.0.0
object-group network NET-cnes_HHP-Sty-Staff
network-object 172.20.225.0 255.255.255.0
object-group network NET-cnes_HHP-Balivanich-staff
network-object 172.20.193.0 255.255.255.0
object-group network Alder-Intranet
network-object 192.168.168.13 255.255.255.255
object-group network Aspen-ISA
network-object 192.168.168.10 255.255.255.255
object-group service tcp-8080
description TCP Port 8080
service-object tcp eq 8080
object-group network Beech-External
network-object 217.36.32.210 255.255.255.255
object-group network it-csm
description cisco security manager
network-object 187.187.1.72 255.255.255.255
object-group network Juniper-External
description Internet Server
network-object 217.36.32.211 255.255.255.255
object-group network HHP_Server_Network
network-object 192.168.168.0 255.255.255.0
object-group network Messagelabs_Incoming_HHP
network-object 67.219.240.0 255.255.240.0
network-object 95.131.104.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 194.106.220.0 255.255.254.0
object-group network Angus-Maclean-PC
network-object 187.187.10.250 255.255.255.255
object-group service RDP
service-object tcp eq 3389
object-group network it-dbserver
description Database Server (Live)
network-object 187.187.1.65 255.255.255.255
object-group network it-sql-test
description Test SQL / database server
network-object 187.187.1.81 255.255.255.255
object-group service DNS-Resolving
description Domain Name Server
service-object tcp eq domain
service-object udp eq domain
object-group network Beech-Exchange
network-object 192.168.168.91 255.255.255.255
object-group network Messagelabs_-_Incoming
description List of MessageLab addresses that SMTP connections are accepted from
network-object 212.125.75.0 255.255.255.224
network-object 216.82.240.0 255.255.240.0
network-object 195.216.16.211 255.255.255.255
network-object 194.205.110.128 255.255.255.224
network-object 194.106.220.0 255.255.254.0
network-object 193.109.254.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 62.173.108.208 255.255.255.240
network-object 62.173.108.16 255.255.255.240
network-object 212.125.74.44 255.255.255.255
network-object 195.245.230.0 255.255.254.0
network-object 85.158.136.0 255.255.248.0
object-group network MIS_Support
network-object 192.168.168.250 255.255.255.254
object-group network it-donadon-xp
description Donald Macdonald's PC
network-object 187.187.10.13 255.255.255.255
object-group network Angela_PC
network-object 187.187.10.155 255.255.255.255
object-group network Katie_PC
network-object 187.187.10.151 255.255.255.255
object-group network Pauline_PC
network-object 187.187.10.12 255.255.255.255
object-group network it-paye-net
network-object 187.187.1.92 255.255.255.255
object-group network MessageLabs-Towers
description Message Labs IP Address ranges
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 212.125.75.16 255.255.255.240
object-group network NET_cnes-castlebay-staff
network-object 172.19.17.0 255.255.255.0
object-group network NET_cnes_tarbert_staff
description NET_cnes_tarbert_staff
network-object 172.19.33.0 255.255.255.0
object-group network Juniper
network-object 192.168.169.5 255.255.255.255
object-group network HHP_DMZ_Network
network-object 192.168.169.0 255.255.255.0
object-group network Ash
network-object 192.168.168.100 255.255.255.255
object-group service UDP-445
service-object udp eq 445
object-group service tcp-udp-135-139
service-object tcp-udp range 135 139
object-group network HHP-ELM
description HHP's ELM ActiveH server
network-object 187.187.1.203 255.255.255.255
object-group network CNES-Ext-GW
description CNES External Address
network-object 194.83.245.242 255.255.255.255
object-group service IPSEC
description IPSEC
service-object 57
service-object ah
service-object esp
service-object udp eq isakmp
object-group network Alamur-PC
network-object 187.187.10.15 255.255.255.255
object-group network Iain-Nicolson-PC
network-object 187.187.10.159 255.255.255.255
object-group network HHP_Remote_Access_Pool
network-object 192.168.168.200 255.255.255.248
network-object 192.168.168.208 255.255.255.240
network-object 192.168.168.224 255.255.255.252
network-object 192.168.168.228 255.255.255.254
object-group network Holly-AV
network-object 192.168.168.9 255.255.255.255
object-group service AVG_Ports
description For AVG server to HHP PCs
service-object tcp-udp eq 6150
service-object tcp-udp eq 6051
service-object tcp-udp eq 445
service-object tcp-udp eq 138
service-object tcp-udp eq 135
service-object tcp-udp eq 6054
service-object tcp-udp eq 4158
service-object tcp-udp eq 139
service-object tcp-udp eq 137
object-group network CNES_Access
network-object 192.168.168.230 255.255.255.254
network-object 192.168.168.232 255.255.255.248
network-object 192.168.168.240 255.255.255.248
network-object 192.168.168.248 255.255.255.254
object-group network HHP-068
description BACS PC
network-object 172.20.225.6 255.255.255.255
object-group network Banyan
network-object 192.168.168.105 255.255.255.255
object-group service TCP81
description TCP Port 81
service-object tcp eq 81
object-group network Gavin_-_new_PC
network-object 187.187.10.150 255.255.255.255
object-group network Secudoors
network-object 172.20.224.4 255.255.255.255
access-list outside_access_in remark Time sync to external ntp server
access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp
access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp
access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network
access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network
access-list outside_access_in extended permit tcp any object-group Juniper-External eq www
access-list outside_access_in extended permit tcp any object-group Juniper-External eq https
access-list outside_access_in extended deny ip any any
access-list outside_access_in_1 extended permit ip any any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain
access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any
access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW
access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https
access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any
access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any
access-list CSM_FW_ACL_inside remark For Symantec Liveupdates
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https
access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES
access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW
access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network
access-list CSM_FW_ACL_inside remark Time sync to external ntp server
access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp
access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www
access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https
access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper
access-list CSM_FW_ACL_inside extended deny ip any any
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www
access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https
access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL
access-list CSM_FW_ACL_CNES remark server's access (Task)
access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments
access-list CSM_FW_ACL_CNES remark and Tenancy Changes
access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17
access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network
access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network
access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254
access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224
access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support
access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC
access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp
access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain
access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH
access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash
access-list CSM_FW_ACL_DMZ extended deny ip any any
access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu DMZ 1500
mtu Wireless_HHP 1500
mtu CNES 1500
ip local pool CNES_Access 192.168.168.230-192.168.168.249
ip local pool MIS_Support 192.168.168.250-192.168.168.251
ip local pool OLM-VPN-Pool 192.168.168.252
ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255
nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0
static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0
static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0
static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0
static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255
static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255
static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0
access-group CSM_FW_ACL_inside in interface inside
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
access-group CSM_FW_ACL_DMZ in interface DMZ
access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
access-group CSM_FW_ACL_CNES in interface CNES
route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1
route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HHP protocol ldap
aaa-server HHP (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_1 protocol ldap
aaa-server HHP_1 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa-server HHP_3 protocol ldap
aaa-server HHP_3 (inside) host 192.168.168.2
timeout 5
ldap-base-dn dc=hhp,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.168.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 194.83.245.242 255.255.255.255 outside
http 187.187.1.72 255.255.255.255 CNES
http 187.187.10.90 255.255.255.255 CNES
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 81.136.160.237
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn none
subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB
keypair SSL_Certificate
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn none
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 0100000000012790a5c005
30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86
4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469
6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261
6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e
697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431
34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504
06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504
07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269
6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564
312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465
616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101
05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9
3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23
af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503
fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb
3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055
6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4
77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b
3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98
8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06
03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049
06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470
3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f
6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470
3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469
6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750
baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363
6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d
13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020
06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303
304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06
01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65
742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0
300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355
de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2
6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843
ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c
6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078
9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594
ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40
c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557
b320c4c1 0015d1b7 daad7527 930b0c90 7711704f
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0400000000011e44a5f52a
30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86
4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030
305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69
64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e
302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e
2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105
00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4
ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea
22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540
f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5
462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9
93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8
36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4
80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529
e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603
551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100
301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30
4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601
05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574
2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268
7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372
6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706
0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830
16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7
0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f
9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487
c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce
d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642
beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd
32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff
fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae
e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced
90ec3292 88d9c823 6c7421
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 187.187.1.41 255.255.255.255 inside
ssh 187.187.1.72 255.255.255.255 inside
ssh 187.187.77.81 255.255.255.255 inside
ssh 187.187.10.19 255.255.255.255 inside
ssh 187.187.10.229 255.255.255.255 inside
ssh 187.187.160.7 255.255.255.255 inside
ssh 187.187.1.41 255.255.255.255 outside
ssh 187.187.1.72 255.255.255.255 outside
ssh 187.187.77.81 255.255.255.255 outside
ssh 187.187.10.19 255.255.255.255 outside
ssh 187.187.10.229 255.255.255.255 outside
ssh 187.187.160.7 255.255.255.255 outside
ssh timeout 15
console timeout 0
vpdn group BT request dialout pppoe
vpdn group BT localname B*******.btclick.com
vpdn group BT ppp authentication chap
vpdn username B*******@hg39.btclick.com password *********
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
group-policy HHP_Remote_Access_1 internal
group-policy HHP_Remote_Access_1 attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP_Remote_Access internal
group-policy HHP_Remote_Access attributes
wins-server value 192.168.168.2 192.168.168.2
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy Omfax internal
group-policy Omfax attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec webvpn
webvpn
svc ask none default webvpn
group-policy MIS_1 internal
group-policy MIS_1 attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
default-domain value hhp.com
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
group-policy CNES_Access internal
group-policy CNES_Access attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CNES_Support_splitTunnelAcl
group-policy HHP internal
group-policy HHP attributes
dhcp-network-scope none
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
split-tunnel-policy tunnelall
split-tunnel-network-list none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
webvpn
url-list value Severs
filter none
homepage none
port-forward disable
http-proxy disable
sso-server none
svc dtls none
svc keep-installer none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
svc modules none
svc profiles none
svc ask none default webvpn
customization none
http-comp none
user-storage none
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
deny-message none
group-policy MIS internal
group-policy MIS attributes
wins-server value 192.168.168.2 192.168.168.3
dns-server value 192.168.168.2 192.168.168.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MIS_splitTunnelAcl
username test password Kg/Rgy23do7gPGTv encrypted privilege 0
username test attributes
vpn-group-policy HHP_Remote_Access
username catneil password yOgiHCGobUNIkjcN encrypted privilege 0
username omfax password pvUaCLwilGmQVifd encrypted privilege 0
username backup password IHQbl.JAoESlM9Jv encrypted privilege 0
username misadmin password 8IZXmHa67HIJYHK1 encrypted
username misadmin attributes
service-type remote-access
username gramor password ne829U0rGFVEedhY encrypted privilege 15
username gramor attributes
vpn-group-policy HHP_Remote_Access
webvpn
url-list value Severs
username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0
username aim_user attributes
vpn-group-policy CNES_Support
username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0
username katask attributes
vpn-group-policy CNES_Support
username janboyd password ZEUyykwzME6hII2i encrypted privilege 0
username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0
username marste password amwTL584WdiT87Tb encrypted privilege 0
username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0
username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0
username anglea attributes
vpn-group-policy CNES_Support
username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authentication-server-group HHP_1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group HHP_1
default-group-policy HHP
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.168.2 timeout 2 retry 2
nbns-server 192.168.168.3 timeout 2 retry 2
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
authentication-server-group HHP_3
default-group-policy HHP
username-from-certificate UID
tunnel-group CNES_Access -
Change MTU for just one Site-to-Site VPN between ASAs?
       Hi -
I'm setting up a Site-to-Site Cisco VPN between ASAs. I'm being told by the remote site engineer to set the maximum MTU at 1362.
Is it possible to set the MTU for one specific site-to-site VPN on my ASA 5510 Security Plus to MTU 1362? I see my interfeces are all set at 1500.
If not, would you recommend I setup a subinterface on my inside network router and a subinterface on the ASA with an MTU of 1362 to get around this issue? Then use this subinterface for traffic from my inside network to transverse through prior to hitting the VPN.
Thank you.I would not worry too much about UDP traffics. I rather concentrate on TCP traffics because almost all of the issues will be TCP.
Therefore, I would set the MSS value to 1362 or may be like 1300:Â Â sysopt connection tcp-mss 1300
That will solve most of your issues. -
Site-to-Site VPN between ASA & PIX
Hi everyone,
If this has been posted before, which it probably has, I apologize in advance.
Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.
On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."
Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:
interface Ethernet0
nameif Outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.224
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.xxx.xxx 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx.xxxxx.org
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
nat (Inside) 2 192.168.0.0 255.0.0.0
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto map mymap 1 match address acl_vpn
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 69.18.xxx.xxx
crypto map mymap 1 set transform-set myset
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 10000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 69.18.xxx.xxx type ipsec-l2l
tunnel-group 69.18.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
: end
If you need further information, please let me know. Also any feedback would be greatly appreciated.
Thanks,
-SashaAlso,
It would seem to me that you have not configured NAT0 for the VPN traffic
This in most cases matches exactly the ACL used in the Crypto Map configurations.
I suggest that you use another ACL for this purpose though to avoid any future problems
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
nat (inside) 0 access-list NAT0
The below command seems to be useless since it doesnt have a match "global" configuration for ID 2
nat (Inside) 2 192.168.0.0 255.0.0.0
- Jouni -
Site to site VPN - cisco asa 5505
having VPN connection problem between 69.x.x.54 VPN 208.x.x.165. Please help.
This is 69.x.x.54/172.16.0.0/16 - - A site - ASDM:6.2(1) ASA: 8.2(1)
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.1 255.255.0.0
interface Vlan2
nameif outside
security-level 0
ip address 69.x.x.54 255.255.255.248
interface Vlan5
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 172.16.0.2
name-server 69.x.x.6
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TS-777 tcp-udp
port-object eq 777
object-group service Graphon tcp-udp
port-object eq 491
object-group service TS-778 tcp-udp
port-object eq 778
object-group service moodle tcp-udp
port-object eq 5801
object-group service moodle-5801 tcp-udp
port-object eq 5801
object-group service smtp-587 tcp-udp
port-object eq 587
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq imap4
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ftp
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group smtp-587
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq telnet
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ssh
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.52 object-group moodle-5801
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.52 eq www
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq ftp
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq pop3
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 eq domain
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.50 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 eq domain
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group TS-778
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group Graphon
access-list outside_access_in extended permit tcp any host 69.x.x.51 eq https
access-list outside_access_in extended permit tcp any host 69.x.x.51 eq www
access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group TS-777
access-list outside_access_in extended permit tcp any host 69.x.x.54 eq https
access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.16.0.32 255.255.255.224
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Split-Tunnel standard permit 172.16.0.0 255.255.0.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.100.0 255.255.255.0
access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn_users 172.16.100.10-172.16.100.2
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 69.x.x.50 172.16.0.2 netmask 255.255.255.255
static (inside,outside) 69.x.x.51 172.16.1.2 netmask 255.255.255.255
static (inside,outside) 69.x.x.52 172.16.1.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
rd DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 208.x.x.162
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 208.x.x.165
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.0.20-172.16.0.40 inside
dhcpd dns 172.16.0.2 69.x.x.6 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
2014-k9.pk
g 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy sales internal
group-policy sales attributes
dns-server value 172.16.1.2 172.16.0.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel
webvpn
svc mtu 1406
username graciela password CdnZ0hm9o72q6Ddj encrypted
tunnel-group 208.x.x.165 type ipsec-l2l
tunnel-group 208.x.x.165 ipsec-attributes
pre-shared-key *
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool vpn_users
default-group-policy sales
dhcp-server 172.16.0.1
tunnel-group TunnelGroup1 webvpn-attributes
group-alias Remote_Access enable
group-alias sales_department disable
tunnel-group 208.x.x.162 type ipsec-l2l
tunnel-group 208.x.x.162 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect icmp
service-policy global-policy global
prompt hostname context
: end
asdm location 192.168.50.0 255.255.255.0 inside
no asdm history enable
This is 208.x.x.165/192.168.50.0/2
4- - B site - ASDM:6.4(7) ASA: 8.4(3)
ASA Version 8.4(3)
hostname ciscoasa
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.51 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 208.x.x.165 255.255.255.248
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.50.0_2
4
subnet 192.168.50.0 255.255.255.0
object network email
host 172.16.0.0
description 255.255.0.0
access-list 1 standard permit 192.168.50.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.50.0
_24 object email
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_2
4 NETWORK_OBJ_192.1
68.50.0_24 destination static email email no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 208.x.x.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
http 192.168.50.51 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 69.x.x.54
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.50.60-192.168.50.1
50 inside
dhcpd dns 208.x.x.10 208.x.x.11 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_69.x.x.54 internal
group-policy GroupPolicy_69.x.x.54 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 69.x.x.54 type ipsec-l2l
tunnel-group 69.x.x.54 general-attributes
default-group-policy GroupPolicy_69.x.x.54
tunnel-group 69.x.x.54 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousOn ASA running 8.4.3. B side. I believe object "email" is defined incorrectly.
Existing configuration
object network email
host 172.16.0.0
description 255.255.0.0
Correct configuration
object network email
subnet 172.16.0.0 255.255.0.0 -
Site to site vpn between RV215W and ASA5510
Hello,
We're trying to establish a site to site vpn between a RV215W (firmware version 1.0.0.16) and an ASA5510 (ASA 8.2(3)). The ASA currently has 5 other IPSec VPN tunnels running. It sure does look like I've dotted all my "i's" and crossed all my "t's" with respect to both sides of the tunnel. What I'm seeing from the 5510 is that there is some sort of communication between the two devices but there is no IPSec tunnel established and no traffic is getting beyond either device. It shows the RV215W connected but 0 bytes Tx and 0 bytes Rx.
From the RV215W side of things it shows an IPSec SA not established. The protocol is IKE and the encryption used is 3des. Both sides have the same preshare key and are using the same settings. From each device I can ping the public IP address of the other, but I get no further. I believe I have ACL's set up to allow traffic from both internal networks. (although I may not - I'm hardly a Cisco guru, just fumbling my way through this...)
Any guidance/direction would be greatly appreciated.
Thank you in advance!Hello,
I have found an article that may provide some assistance with your VPN. It has information on more advanced settings on VPNs for the RV215W. I hope that it may be of some use to you.
Advanced VPN Setup on RV215W
Hope it helps,
Andrew Mayfield -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Â Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
Asa 5505 site to site VPN between A to B site, then B site MPLS to internal network
Dear all
I am setting up site to site VPN between two site A to B site. Two local site of A and B are connected fine. however for my site B have another internal MPLS to other site. The connection fine from LAN A all the way to LAN B MPLS router, but it cannot be connect to other MPLS site. If I did the MPLS traceroute from other site. It can be reached of LAN B internal router. Therefore, I am confusing which part of my configuration go wrong and any document for my reference. Thank you very much.
Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxxDear Harish
for LAN B MPLS. All 11.20.0.0/16 will route to LAN B internal router 10.14.128.252
If traceroute from other 11.0.0.0 site to 11.20.128.250, it can reach until LAN B ASA 11.14.127.223
11.20.128.250Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 11.14.128.223Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 11.14.128.252Â Â Â Â Â Â Â Â Â Â 11.14.128.253Â Â Â Â Â Â Â Â Â Â Â Â Â 11.0.0.0
Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx
if traceroute from 10.20.0.0, it can reach until LAN B MPLS router 11.14.128.253
For config file post. Can I have your email address to direct send to you. Thank you very much. -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
     Desc: (none)
     Phase1_id: (none)
 IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
       Active SAs: 0, origin: crypto map
       Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
       Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst            src            state         conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone
Hi,
I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
The scanario:
Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
Any help or advice is much appreciated.
Thanks.Hello Bernard,
What you are looking for is a Remote Ipsec VPN mode not a L2L.
Here is the link you should use to make this happen:)
https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
Regards,
Julio -
Routable VPN Between ASA and Windows RRAS
Hi all,
I'm trying to figure out the best way to create a routable VPN between my production network and a small DR server that I have colo'd offsite.
On the production side I have an ASA 5515-X (10.1.0.0/23) and on the DR side I have a Windows Server 2012 R2 server running RRAS, DHCP, NAT, and Hyper-V. The DR server has a virtual environment with a subnet of 10.5.0.0/24 behind NAT (diagram attached for a visual). I've seen some tutorials online for how to create a routable VPN between the two, some utilizing the Windows Advanced Firwall to create an IPSec tunnel. So far, I've not been able to get the tunnel to come up.
Before I spend even more time trying to troubleshoot this, I was wondering what the best way to create a secure connection between these two subnets is and if anybody has done something similar successfully.
Thanks,
JasonNone yet, I've been stuck on this for a while now. My latest attempt caused the DR site to go offline and required hands-on at the colo site to get it back online due to a bad ipsec policy, so I've backed off a bit on trying things.
-
S-S VPN between ASA and ASR1001
Hello
we have 2 ASR routers at HQ connected to ISP and there are new remote sites that needs to be connected to HQ via site to site VPN. Each remote branch will have ASA, The outside IPs of both ASRs are in same subnet.Â
1. Is it possible to acheive redudancy in HQ side in this design ?Â
2. Can i create L2L tunnels to both ASRs ? If yes how can i make 1 tunnel active and other secondary ?
                                                           |ASR1
 Users--------L3SW--------ASA---------------ISP----------CPE---------------|
                                                           |ASR2
Any suggestions are welcome
ThanksThere are two ways:
Stateful Failover for IPsec
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
http://packetlife.net/blog/2009/aug/17/fun-ipsec-stateful-failover/
VPN-config with two peers an the ASA.
Here you have two individual gateways on the HQ and the ASA has two tunnel-groups fr both gateways but only one sequence in the crypto-map. The peer-statement has both HQ-IPs configured. -
Issue bringing up VPN between ASA and Checkpoint - HELP
Hi all
We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
on the ASA I see the following
any ideas what this is ?
7
Jan 30 2014
11:52:03
715065
IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRYPhase 2 failures means several things:
Encryption domain (interesting traffics) fail to match. Checkpoint tends to supper net network together, by design,
Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
- output of "uname -a" and "fw ver"
- is this Nokia, Windows or Secureplatform Checkpoint?
- run the following commands on the firewall: "debug ike off", "debug ike trunc" and send you the ike.elg file. That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong.Â
Disable/turn OFF kilobytes timeouts is not the solution. -
Problem with Remote Access VPN on ASA 5505
I am currently having an issue configuring an ASA 5505 to connect via remote access VPN using the Cisco VPN Client 5.0.07.0440 running on Windows 8 Pro x64. The VPN client prompts for the username and password during the connect process, but fails soon after.
The VPN client logs are as follows:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
2 15:09:21.240 12/11/12 Sev=Info/4 CM/0x63100002
Begin connection process
3 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100004
Establish secure connection
4 15:09:21.287 12/11/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "**.**.***.***"
5 15:09:21.287 12/11/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with **.**.***.***.
6 15:09:21.287 12/11/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 15:09:21.303 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to **.**.***.***
8 15:09:21.365 12/11/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
9 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
10 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from **.**.***.***
11 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
12 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
13 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
14 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
15 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
16 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to **.**.***.***
18 15:09:21.334 12/11/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 15:09:21.334 12/11/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xFBCE, Remote Port = 0x1194
20 15:09:21.334 12/11/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
21 15:09:21.334 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 15:09:21.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
23 15:09:21.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
24 15:09:21.365 12/11/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 15:09:21.474 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 15:09:27.319 12/11/12 Sev=Info/4 CM/0x63100017
xAuth application returned
28 15:09:27.319 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
29 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
30 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
31 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
32 15:09:27.365 12/11/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33 15:09:27.365 12/11/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
34 15:09:27.365 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to **.**.***.***
35 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
36 15:09:27.397 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from **.**.***.***
37 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
38 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
39 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
40 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
41 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
42 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO
43 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(5) built by builders on Fri 20-May-11 16:00
45 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46 15:09:27.397 12/11/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47 15:09:27.397 12/11/12 Sev=Info/4 CM/0x63100019
Mode Config data received
48 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = **.**.***.***, Remote IP = 0.0.0.0
49 15:09:27.412 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to **.**.***.***
50 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
51 15:09:27.444 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from **.**.***.***
52 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
53 15:09:27.444 12/11/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
54 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
55 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from **.**.***.***
56 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to **.**.***.***
57 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=CE99A8A8
58 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 12/11/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = **.**.***.***
60 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924
61 15:09:27.459 12/11/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from **.**.***.***
62 15:09:27.490 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A3A341F1C7606AD5 R_Cookie=F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 12/11/12 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
65 15:09:30.475 12/11/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
66 15:09:30.475 12/11/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
67 15:09:30.475 12/11/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
68 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
70 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
71 15:09:30.475 12/11/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
The running configuration is as follows (there is a site-to-site VPN set up as well to another ASA 5505, but that is working flawlessly):
: Saved
ASA Version 8.2(5)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address **.**.***.*** 255.255.255.248
boot system disk0:/asa825-k8.bin
ftp mode passive
access-list outside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip NCHCO 255.255.255.0 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit NCHCO 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http **.**.***.*** 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHVPN internal
group-policy NCHVPN attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NCHCO
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password QhZZtJfwbnowceB7 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
pre-shared-key *****
tunnel-group NCHVPN type remote-access
tunnel-group NCHVPN general-attributes
address-pool VPN_Pool
default-group-policy NCHVPN
tunnel-group NCHVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
asdm image disk0:/asdm-645.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
Anyone have any idea why this is happening?
Thanks!Thanks again for your reply, and sorry about the late response, havent gotten back to this issue until just now. I applied the above command as you specified, and unfortunately, it did not resolve the problem. Below are the logs from the VPN Client for the connection + attempted browsing of a network share that is behind the ASA, and the new running configuration.
VPN Client Log:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.2.9200
331 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
332 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
333 13:11:41.362 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.61.228.178"
334 13:11:41.362 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.61.228.178.
335 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
336 13:11:41.424 12/17/12 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
337 13:11:41.362 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 69.61.228.178
338 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
339 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 69.61.228.178
340 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
341 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
342 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
343 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
344 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
345 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
346 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 69.61.228.178
347 13:11:41.393 12/17/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
348 13:11:41.393 12/17/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD271, Remote Port = 0x1194
349 13:11:41.393 12/17/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
350 13:11:41.393 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
351 13:11:41.424 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
352 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
353 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
354 13:11:41.424 12/17/12 Sev=Info/4 CM/0x63100017
xAuth application returned
355 13:11:41.424 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
356 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
357 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
358 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
359 13:11:41.456 12/17/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
360 13:11:41.456 12/17/12 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
361 13:11:41.456 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.61.228.178
362 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
363 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.61.228.178
364 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.70
365 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
366 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.2.1
367 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 8.8.8.8
368 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
369 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
370 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.2.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
371 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = NCHCO.local
372 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
373 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.4(1) built by builders on Mon 31-Jan-11 02:11
374 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
375 13:11:41.502 12/17/12 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
376 13:11:41.502 12/17/12 Sev=Info/4 CM/0x63100019
Mode Config data received
377 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.70, GW IP = 69.61.228.178, Remote IP = 0.0.0.0
378 13:11:41.502 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.61.228.178
379 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
380 13:11:41.534 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
381 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
382 13:11:41.534 12/17/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
383 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
384 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 69.61.228.178
385 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
386 13:11:41.549 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 69.61.228.178
387 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=C4F5B5A6 OUTBOUND SPI = 0xD2DBADEA INBOUND SPI = 0x14762837)
388 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD2DBADEA
389 13:11:41.549 12/17/12 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x14762837
390 13:11:41.549 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
391 13:11:41.877 12/17/12 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
392 13:11:43.455 12/17/12 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.2.70/255.255.255.0
DNS=192.168.2.1,8.8.8.8
WINS=0.0.0.0,0.0.0.0
Domain=NCHCO.local
Split DNS Names=
393 13:11:43.455 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 266
394 13:11:47.517 12/17/12 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
395 13:11:47.517 12/17/12 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.162 10
69.61.228.178 255.255.255.255 192.168.1.1 192.168.1.162 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.162 192.168.1.162 266
192.168.1.2 255.255.255.255 192.168.1.162 192.168.1.162 100
192.168.1.162 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.1.255 255.255.255.255 192.168.1.162 192.168.1.162 266
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 266
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 266
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 266
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 192.168.1.162 192.168.1.162 266
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 266
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 192.168.1.162 192.168.1.162 266
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 266
396 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
397 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310001A
One secure connection established
398 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.1.162. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
399 13:11:47.517 12/17/12 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.2.70. Current hostname: MATT-PC, Current address(es): 192.168.2.70, 192.168.1.162.
400 13:11:47.517 12/17/12 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
401 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
402 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
403 13:11:47.517 12/17/12 Sev=Info/6 IPSEC/0x6370002C
Sent 109 packets, 0 were fragmented.
404 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
405 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
406 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xeaaddbd2 into key list
407 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
408 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x37287614 into key list
409 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.2.70
410 13:11:47.517 12/17/12 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.1.162. SG: 69.61.228.178
411 13:11:47.517 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
412 13:11:52.688 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
413 13:11:52.688 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476009
414 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
415 13:11:52.704 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
416 13:11:52.704 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476009, seq# expected = 2722476009
417 13:12:03.187 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
418 13:12:03.187 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476010
419 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
420 13:12:03.202 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
421 13:12:03.202 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476010, seq# expected = 2722476010
422 13:12:14.185 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
423 13:12:14.185 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476011
424 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
425 13:12:14.201 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
426 13:12:14.201 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476011, seq# expected = 2722476011
427 13:12:24.762 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 69.61.228.178
428 13:12:24.762 12/17/12 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 69.61.228.178, our seq# = 2722476012
429 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.61.228.178
430 13:12:24.778 12/17/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 69.61.228.178
431 13:12:24.778 12/17/12 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 69.61.228.178, seq# received = 2722476012, seq# expected = 2722476012
New running configuration:
: Saved
ASA Version 8.4(1)
hostname NCHCO
enable password hTjwXz/V8EuTw9p9 encrypted
passwd hTjwXz/V8EuTw9p9 encrypted
names
name 192.168.2.0 NCHCO description City Offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 69.61.228.178 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa841-k8.bin
ftp mode passive
object network NCHCO
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.64
subnet 192.168.2.64 255.255.255.224
object network obj-0.0.0.0
subnet 0.0.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip object NCHCO 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip 0.0.0.0 255.255.255.0 192.168.2.64 255.255.255.224
access-list outside_1_cryptomap extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip object NCHCO 192.168.1.0 255.255.255.0
access-list LAN_Access standard permit 192.168.2.0 255.255.255.0
access-list LAN_Access standard permit 0.0.0.0 255.255.255.0
access-list NCHCO_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool VPN_Start-VPN_End mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NCHCO NCHCO destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static any any destination static obj-192.168.2.64 obj-192.168.2.64
nat (inside,any) source static obj-0.0.0.0 obj-0.0.0.0 destination static obj-192.168.2.64 obj-192.168.2.64
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl outside_nat0_outbound
webvpn
svc ask enable default svc
http server enable
http 192.168.1.0 255.255.255.0 inside
http 69.61.228.178 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set l2tp-transform mode transport
crypto ipsec ikev1 transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs group1
crypto dynamic-map dyn-map 10 set ikev1 transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.219.208.50
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map vpn-map 1 match address outside_1_cryptomap_1
crypto map vpn-map 1 set pfs group1
crypto map vpn-map 1 set peer 74.219.208.50
crypto map vpn-map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 35
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet NCHCO 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh NCHCO 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.150-192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
dhcpd lease 64000 interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value nchco.local
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
ipsec-udp enable
intercept-dhcp 255.255.255.0 enable
address-pools value VPN_Pool
group-policy NCHCO internal
group-policy NCHCO attributes
dns-server value 192.168.2.1 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NCHCO_splitTunnelAcl_1
default-domain value NCHCO.local
username admin password LbMiJuAJjDaFb2uw encrypted privilege 15
username 8njferg password yB1lHEVmHZGj5C2Z encrypted privilege 15
username NCHvpn99 password dhn.JzttvRmMbHsP encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPN_Pool
address-pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
default-group-policy DefaultRAGroup
strip-realm
strip-group
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group 74.219.208.50 type ipsec-l2l
tunnel-group 74.219.208.50 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NCHCO type remote-access
tunnel-group NCHCO general-attributes
address-pool VPN_Pool
default-group-policy NCHCO
tunnel-group NCHCO ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b6ce58676b6aaeba48caacbeefea53a5
: end
asdm image disk0:/asdm-649.bin
asdm location VPN_Start 255.255.255.255 inside
asdm location VPN_End 255.255.255.255 inside
no asdm history enable
I'm at a loss myself as to why this isn't working, and i'm sure that you are running out of solutions yourself. Any other ideas? I really need to get this working.
Thanks so much!
Matthew
Maybe you are looking for
-
Win 8.1 Adobe Air installation problem
Purchased a program that runs on Adobe Air. Downloaded Air and have attempted to install. Keeps giving an error and says I need to see my admin. I am the admin and am installing with admin credentials. Anyone have a work around on this or even an ide
-
Have Linksys wireless router, Ipad cant find the network. Had been working for months, with a few irratic outings, now cant find it at all. tried rebooting ipad and reseting router, still same. have other wirless devices that can connect, x box 360,
-
Ipod wont turn on or connect to computer after reset while restoreing
so i was restoreing my ipod and i realized there was some pics i wanted so i disconnected the ipod and then reset doing the thing where u hold select and menu and now it wont turn on or connect to the computer please help me out
-
Hi All, I have a web application built using ASP.Net and communicates with a Web services which uses oracle rdb odbc driver to connect to RDB server, but after a while I started getting this error when executing simple statements like insert or updat
-
Music.air is not opening in other systems
I have done my MusicPlayer using AS3 in FlashCS3 environment with Adobe AIR. It is everything (creating air application, installing the .air application in my system, etc.,) okay with my system. But the problem is If I copy the total folder in anothe