1800 to ASA VPN problem, fail to Phase 2

Similar Questions

• 8.3 Cisco ASA VPN problem

  Hi all

  I have some problems with the implementation of a VPN using IPSEC to establish a connection from Site to Site.

  What I'm trying to Setup is the following, his IP address of a site can reach the beaches on site B and visa versa.

  Site A                                                       Site B

  192.168.10.0 172.16.0.0

  192.168.20.0 IPSEC tunnel - 172.17.0.0 -.

  192.168.30.0 172.18.0.0

  I tested with one subnet to another subnet that works. However, when I try to group the objects it fails.

  As an example I can set up a VPN of 192.168.20.0 to 172.18.0.0 that I can pass the traffic through but its unable to reach other subnets.

  Excerpts from the config.

  crypto ISAKMP allow outside

  ACL

  list of allowed outside_1_cryptomap ip access dmz LAN object dmz-network-remote

  Tunnel group

  tunnel-group type ipsec-l2l

  IPSec-attributes tunnel-group

  pre-shared key

  ISAKMP retry threshold 10 keepalive 2

  Phase 1

  part of pre authentication isakmp crypto policy 10

  crypto ISAKMP policy 10 3des encryption

  crypto ISAKMP policy hash 10 sah

  10 crypto isakmp policy group 2

  crypto ISAKMP policy life 10 86400

  Phase 2

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  map 1 set outside_map crypto peer

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  NAT

  NAT (inside, outside) 1 static source local-network-dmz dmz LAN destination static remote-network-dmz dmz-network distance

  Any advice would be greatly appreciated.

  Thank you.

  Andrew,

  Accroding to your config, each network is behind a different interface of the SAA, so you will need to change the NAT rule for each of them, for example:

  NAT (DMZ_Zone, outside) 1 static source ad-network-local ad-network-local destination static obj obj-remote control-remote control

  NAT (DB_Zone, outside) 1 static source local-network-db db-network-local destination static obj obj-remote control-remote control

  NAT (AD_Zone, outside) 1 static source local-network-dmz dmz LAN destination static obj obj-remote-distance

  Please review and give it a try.

  I hope hear from you soon.

• ASA VPN with Fortgate

  Hello people!

  I still have the problem with VPN... Laughing out loud

  I have to create a new VPN site to site between ASA 5510 (8.42 IOS) and Fortgate, but something is very strange, Don t VPN came and I see in the debug crypto 10 ikev1 the newspaper to follow:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

  But if I ask the other peer to change in Group 2, the msg in the SAA is:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1

  Fortgate is possible to activate the two specific groups of VPN 1 and 2, and I would ask the other peer left this way and the ASA show:

  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Group 2 GCF: Group 1
  [IKEv1] phase 1 default: incompatibility of types of attributes of class Gr OUP Description: RRs would be: Cfg 1 group would be: Group 2

  The show isakmp his:

  9 counterpart IKE: 179.124.32.181
  Type: user role: answering machine
  Generate a new key: no State: MM_WAIT_MSG3

  I have delete and creat VPN 3 x and the same error occurs.

  Everyone has seen this kind of problem?

  Is it using Fortigate version 5 by chance?

  I saw Cisco ASA VPN problems repeatedly with this code Fortigate, but above all it has been a problem of Phase 2 and defining KB life maximally on the side of the ASA has solved it... However this seems not to be your problem here.

  The first thing in your config I see you have PFS enabled - have you insured it is located on the side of Fortinet or tried to turn it off on the side of Cisco to see if it happens?

  Be stuck at MM_WAIT_MSG3 means that you sent your return policy, but then you have not received the third package in the ISAKMP riding so either the Fortigate is unhappy with something or there's a routing problem (however unlikely given that you have already had communication)

  Try on the side of the ASA:

  debug crypto isakmp 7

  You can also confrm your external interface is 'outside1 '? You can see this "see intellectual property."

• Site to Site VPN 1800 to ASA (8.4) the two peers DHCP

  Hi all

  I'm putting a VPN site-to-site between a 1841 router and an ASA5510 running 8.4. Both ends negotiate their outside interface IP via DHCP addresses and are connected to the ADSL lines.

  I installed the 1841 an ASA with a fixed IP address, using aggressive mode and that works fine, but when I try to reproduce the config on the ASA with the negotiated IP address, it is as if there is no interesting traffic for the field of encryption and it fails to Phase 1.

  I re-used the same cryptographic cards, cards dynamics, games of transformation, ACL format and static NAT exception as the fixed work off ASA addressed, but I can't seem to get the tunnel opening on both sides.

  Since the end of the ASA debugging I see

  (crypto_map_check)-1: error: no card mapped crypto.

  Since the end of 1841, I see

  August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): retransmit phase 1 AG_INIT_EXCH...

  15:57:39.268 August 6: ISAKMP (0:134217832): increment the count of errors on his, try 4 out 5: retransmit the phase 1

  August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): retransmit phase 1 AG_INIT_EXCH

  August 6, 15:57:39.268: ISAKMP:(0:104:SW:1): sending package to x.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

  Is it even possible to Setup both ends after negotiating addresses? I've seen a few posts that seem to suggest not.

  Please see attached for configurations,

  Thank you very much

  Stuart

  No, you guessed correctly.

  You cannot have two ends with this dynamic IP is setup with VPN tunnel because if the two ends don't know what IP address, it will not be able to establish the VPN tunnel.

  You can have 1 dynamic side, and the other end to static IP address.

• ASA VPN on physical IP address only?

  Hello

  Is it possible to set up a virtual IP address dedicated to endpoint on ASA VPN version 8.3 and later?

  I don't want to use the physical IP address on my external interface.

  Thank you

  No problem. Mark pls kindly responded to this post like so that others may learn from your post. Thank you.

• ASA VPN - allow user based on LDAP Group

  Hello friends

  I have create a configuration to allow connection based on LDAP Group.

  I m not specialize in the firewall and I tried to follow the links above, but both seem old, commanded several is not available.

  http://www.tunnelsup.com/Cisco-ASA-VPN-authorize-user-based-on-LDAP-group

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Anyone know how I can do?

  Thank you

  Marcio

  I like to use the Protocol DAP (dynamic access policies) to control this.  Follow this guide:

  https://supportforums.Cisco.com/document/7691/ASA-8X-dynamic-access-policies-DAP-deployment-guide

• Assign the static IP address by ISE, ASA VPN clients

  We will integrate the remote access ASA VPN service with a new 1.2 ISE.

  Authentication is performed in Active directory. After authentication, can address assigned to a specific user of VPN by ISE IP?

  This means that the same VPN user will always get the same IP address. Thank you.

  Daniel,

  You can override the IETF-RADIUS-Framed-IP-Address in the authorization policy.

  However if I may make a suggestion:

  Unless you have only a handful of users to do so, it may be appropriate to assign the address of ISE pool or perform the mapping of LDAP attributes on ASA itself.

  In the latter case, the IP addresses are kept on the server as LDAP attributes and ASA will map the IP address. You don't want to keep address IP DB in several places.

  M.

• Device behind a Firewall other, ASA VPN

  I have a client who wants to put their VPN / behind the ASA ASA main connected to the Internet.  Both devices have an inside leg for the internal network, but the ASA VPN connects directly to the Internet ASA.

  Topology:

  Outisde FW: Internet transfer Procedure > ASA/FW > leg DMZ to ASA/VPN

  ASA VPN: Outside the L3 Interface interface DMZ of ASA/FW link

  On the outside NAT FW I would be the external address of the VPN / ASA outside the public IP address is available and I have a rule that allows all IP from outside to outside the private IP VPN.  Inside = 192.168.254.1 outside = public IP address.

  Configured on the VPN / ASA, ASA standard SSL Remote Access.

  When I hit the NAT public IP address, nothing happens.  I've run packet - trace on the FW outside, and everything seems good.

  Someone at - it a sampling plan / config for a similar topology?     Internet > ASA/FW > dmz-leg > ASA/VPN

  Thanks in advance,
  Bob

  Can share you your NAT and routing configuration? Of these two ASAs

• ASDM conc (ASA) VPN access

  I have the script like this:

  an ASA, which is the FW, TR making static NAT from the public to the private IP and private IP address add is add conc (another ASA) VPN. I am accessing these devices via the VPN client and I get the address IP of VPN pool set on VPN conc. VPN conc. is in a DMZ VLAN, but it also has connection to the local network segment. Purposes of mgmt, I connect to this VPN through SSH conc via a switch in the local network segment. To use the http access, I have to be on one of the servers that are in the local network segment. Since then, when I set up the VPN connection, I'm sure VPN conc., what can do to access http directly from my PC?

  This sets up on the conc VPN:

  management-access inside
  
  After that you should be able to use ASDM over the VPN tunnel, by connecting to its inside ip address.
  hth
  
      Herbert
  
      (note, I assume the name of the interface connected to the LAN is named "inside", if not adapt at will )

• ASA VPN positive = SSL VPN?

  Hello

  I have a pair of FO, I need to exchange an ASA5520 who owns a license of VPN over 750

  Can I use an ASA5520 with ASA5500-SSL-750 instead

  Regards Tony

  Yes, it is always available on order. Part number: ASA5520-VPN-PL =

  In addition, this more ASA VPN would be much much cheaper than the SSL VPN license.

  Thank you

  Kiran

• New ASA/VPN configuration

  So, I am looking to add one of my spare 5510 firewall to my secondary network as a vpn connection.

  All I want this new ASA to do is handle my site anyconnect VPN connections.  I'm pretty new to ASAs if any help would be great.  I know how to create a new access VPN on my ASA and I added a NAT for my inside and outside traffic to my new Pool of IP VPN.

  My question is, since it's only for the VPN and I want all my current internal traffic to continue to the asa 5510 existing routing, do I have to enter the ACL to my new single AAS of VPN?  ACLs are used for VPN traffic and do I need them to traffic the route via VPN?

  I'll put up inside interface of connection to one of my main Cisco switches and the outside interface connects to my DMZ switch on the new ASA only VPN.

  Thank you

  I don't know if I am how you connect to the external interface of single ASA VPN. Normally, in this type of installation, we would see the ASA VPN "in parallel" with the perimeter firewall.

  You mention the DMZ switch that threw me a little. If you are in France through your main firewall and go to single ASA VPN via the DMZ then Yes you will need to allow several open ports (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT - T, etc.) depending on the type of remote you are implementing. That's why we rarely see this configuration used - it adds a good dose of complexity without significant benefit.

  When the old facility is used, you need to switch internal to know to route traffic to the pool VPN through the only ASA VPN inside the interface. A static route is more often used, although you can use OSPF or EIGRP if you wanted to.

  Should generally not be any access list that VPN traffic around the Bank access lists incoming interface. Back to remote clients traffic is coming from inside and out through (and is usually part of anestablished connection) so no access list is necessary inside.

• ASA Vpn load balancing and failover

  Hi all.

  We have two asa5520 configured as main unit and emergency in failover configuration, and everything works fine.

  Is it possible with this configuration (switch), configure the vpn load balancing/grouping?

  Thank you

  Daniele

  Hi Daniele,

  You cannot run two of them on two firewalls ASA, VPN feature load balancing or failover functionality.

  Where you need to use the two feature, you must use more than three ASA firewall, two first ASAs will work as the failover and the ASA third will work as cluster VPN for them, the following example uses four firewalls:

  ASA1 (active FO) - ASA2 (TF Standby)

  (VPN virtual master)

  |

  |

  |

  |

  (Backup VPN device)

  ASA3 (active FO) - ASA4 (TF Standby)

  Kind regards

  Wajih

• ASA VPN (NAT problem)?

  Hi people, I was hoping sopmeone on these forums might be able to help. I have some problem with a config for our ASA5510, functioning 8.2 (1)

  I installed a VPN tunnel a firewall to vyatta off-site. The tunnel is up.

  ABN-FW3-CISCO ASA5510 # show crypto ipsec his
  Interface: outside
  Tag crypto map: VPN_Zettagrid_Map, seq num: 10, local addr: 116.212.X.X
  VPN_cryptomap list access ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
  local ident (addr, mask, prot, port): (192.9.0.0/255.255.0.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
  current_peer: 119.252.X.X
  #pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
  #pkts decaps: 16, #pkts decrypt: 16, #pkts check: 16
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 14, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0
  local crypto endpt. : 116.212.X.X, remote Start crypto. : 119.252.X.X
  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 670F3BF5

  Now I can pass information of the 119.252.X.X to our internal networks (192.9.0.0/16) vyatta (yes I know this is a wide audience, but it comes to the environment, I inherited, I'm running with a project to put private network addresses, but its not finished quite yet)

  The problem seems to be information of ASA to the internal network behind the vyatta - 192.168.11.0/24.

  When I check my syslog I get the following error: (this example has been a connection attempt mstsc)
  : Inbound TCP connection deny from 192.9.216.190/60660 to 192.168.11.101/3389 SYN flags on the interface inside

  Now Im guessing this SYN message means that the ASA trying to NAT my outgoing packets... which is strange because I have configured a rule sheep. But when I do a show nat is the result:

  ABN-FW3-CISCO ASA5510 # display nat inside
  is the intellectual property inside 192.9.0.0 outside 192.168.11.0 255.255.0.0 255.255.255.0
  Exempt from NAT
  translate_hits = 0, untranslate_hits = 37 (this value does not change)

  Here is my config for NAT

  Inside_nat0_outbound to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0
  Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.255.255.0 192.168.11.0 255.255.255.0
  Access extensive list ip 192.10.201.0 Inside_nat0_outbound allow 255.255.255.0 192.168.11.0 255.255.255.0

  (I have a separate ACL for interesting traffic)

  VPN_cryptomap to access extended list ip 192.9.0.0 255.255.0.0 allow 192.168.11.0 255.255.255.0

  VPN_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.11.0 255.255.255.0

  Access extensive list ip 192.10.201.0 VPN_cryptomap allow 255.255.255.0 192.168.11.0 255.255.255.0

  Global 1 interface (outside)
  NAT (inside) 0-list of access Inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (dmz) 1 172.30.3.0 255.255.255.0
  NAT (management) 1 192.10.201.0 255.255.255.0
  NAT (dmz2) 1 172.30.2.0 255.255.255.0
  static (inside, dmz) 192.9.0.0 192.9.0.0 255.255.0.0 subnet mask

  Im guessing that one of these rules is in conflict? Does nat (inside) 0 Inside_nat0_outbound access list take precedence over the nat (inside) 1 0.0.0.0 0.0.0.0?

  I can post more if necessary config, any help at this point would be much appreciated

  Hmm looks like you establish 192.168.11.0 who seems to be blocked by the ACL on the traffic of 192.9.0.0 inside the interface.

  Please paste config ACL or see if that blocks this traffic.

  Thank you

  Ajay

• Problem Cisco ASA VPN/ACL

  All,

  The situation is that I'm trying to initiates a connection outside a Firewall ASA, to a destination IP address that is on the remote end of a VPN tunnel looked SAA even on the external interface. So logically slow traffic is outside to outside.

  The SAA is to deny the traffic that the conversation shows the source as the destination and the outside outside.

  Is there something smart, that I can do on the SAA to solve this problem?

  Thank you

  D

  Hello

  Use the following command on the ASA:

  permit same-security-traffic intra-interface

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• Site to Site VPN problem ASA 5505

  Hello

  I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.

  For some reason, I can access the remote network of only two of the three internal networkls that I've specified.

  Here is a copy of my config - if anyone has any info I would be happy of course.

  Thank you

  Kevin

  FK - U host name. S. - Raleigh - ASA
  domain appdrugs.com
  activate 08PI8zPL2UE41XdH encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name Maridian-primary-Net 192.168.237.0
  Meridian-backup-Net 192.168.237.128 name
  name 10.239.192.141 AccessSwitch1IDFB
  name 10.239.192.143 AccessSwitch1IDFC
  name 10.239.192.140 AccessSwitch1MDFA
  name 10.239.192.142 AccessSwitch2IDFB
  name CiscoCallManager 10.195.64.206
  name 10.239.192.2 CoreSwitch1
  name 10.239.192.3 CoreSwitch2
  name 10.195.64.17 UnityVM
  name 140.239.116.162 Outside_Interface
  name 65.118.69.251 Meridian-primary-VPN
  name 65.123.23.194 Meridian_Backup_VPN
  DNS-guard
  !
  interface Ethernet0/0
  Shutdown
  No nameif
  security-level 100
  no ip address
  !
  interface Ethernet0/1
  nameif outside
  security-level 60
  address IP Outside_Interface 255.255.255.224
  !
  interface Ethernet0/2
  nameif Inside1
  security-level 100
  IP 10.239.192.7 255.255.255.128
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 50
  IP 192.168.1.1 255.255.255.0
  management only
  !
  boot system Disk0: / asa804 - k8.bin
  Disk0: / asa804.bin starting system
  passive FTP mode
  DNS domain-lookup outside
  DNS domain-lookup Inside1
  management of the DNS domain-lookup service
  DNS server-group DefaultDNS
  Server name 10.239.192.10
  domain appdrugs.com
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  the DM_INLINE_NETWORK_1 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.0
  object-network 10.239.192.128 255.255.255.128
  object-group service DM_INLINE_SERVICE_1
  the purpose of the ip service
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  the DM_INLINE_NETWORK_2 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_3 object-group network
  network-object 10.195.64.0 255.255.255.192
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_5 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  the DM_INLINE_NETWORK_6 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  object-group network Vital-network-hardware-access
  host of the object-Network UnityVM
  host of the CiscoCallManager object-Network
  host of the object-Network AccessSwitch1MDFA
  host of the object-Network AccessSwitch1IDFB
  host of the object-Network AccessSwitch2IDFB
  host of the object-Network AccessSwitch1IDFC
  host of the object-Network CoreSwitch1
  host of the object-Network CoreSwitch2
  object-group service RDP - tcp
  EQ port 3389 object
  the DM_INLINE_NETWORK_7 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  host of network-object Meridian-primary-VPN
  host of the object-Network Meridian_Backup_VPN
  the DM_INLINE_NETWORK_9 object-group network
  host of the object-Network Outside_Interface
  Group-object Vital-equipment-access to the network
  object-group service DM_INLINE_SERVICE_2
  will the service object
  ESP service object
  the purpose of the service ah
  the eq isakmp udp service object
  object-group service DM_INLINE_SERVICE_3
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  the DM_INLINE_NETWORK_4 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_8 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  Outside_access_in list extended access permit icmp any any echo response
  Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
  Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
  Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
  Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
  Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
  Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
  Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
  Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
  Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
  Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
  Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
  Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
  Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
  Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
  Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
  Vital_VPN of access allowed any ip an extended list
  Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
  access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
  Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
  Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
  pager lines 24
  Enable logging
  exploitation forest asdm warnings
  Outside 1500 MTU
  MTU 1500 Inside1
  management of MTU 1500
  mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global (1 interface external)
  NAT (Inside1) 0-list of access Inside1_nat0_outbound
  NAT (Inside1) 1 10.0.0.0 255.0.0.0
  Access-group Outside_access_in in interface outside
  Access-group Inside1_access_in in interface Inside1
  Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
  Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
  Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
  Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
  Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
  Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 66.104.209.192 255.255.255.224 outside
  http 192.168.1.0 255.255.255.0 management
  http 10.239.172.0 255.255.252.0 Inside1
  SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
  location of Server SNMP Raleigh
  contact Server SNMP Kevin mcdonald
  Server SNMP community appfirestarter * #*.
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Server SNMP traps enable entity config change
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
  card crypto Outside_map 1 peer set VPN-primary-Meridian
  Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
  card crypto Outside_map 1 defined security-association life seconds 28800
  card crypto Outside_map 1 set security-association kilobytes of life 4608000
  card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
  card crypto Outside_map 2 set peer Meridian_Backup_VPN
  map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
  card crypto Outside_map 2 defined security-association life seconds 28800
  card crypto Outside_map 2 set security-association kilobytes of life 4608000
  card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  Outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 5
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  outside access management
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  allow outside
  tunnel-group-list activate
  internal strategy of State civil-access to the network group
  Group Policy attributes Vital access to the network
  value of server DNS 10.239.192.10
  value of VPN-filter Vital_VPN
  Protocol-tunnel-VPN IPSec webvpn
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
  value of remote access address pools
  internal state civil-Site-to-Site-GroupPolicy group strategy
  Civil-site-a-site-grouppolicy-strategie status of group attributes
  value of VPN-filter Vital-Site-to-Site-access
  Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
  username APPRaleigh encrypted password m40Ls2r9N918trxp
  username APPRaleigh attributes
  VPN-group-policy Vital-network access
  type of remote access service
  username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
  tunnel-group 65.118.69.251 type ipsec-l2l
  tunnel-group 65.118.69.251 General-attributes
  Group Policy - by Defaut-vital-site-a-site-grouppolicy
  IPSec-attributes tunnel-group 65.118.69.251
  pre-shared-key *.
  tunnel-group 65.123.23.194 type ipsec-l2l
  tunnel-group 65.123.23.194 General-attributes
  Group Policy - by Defaut-vital-site-a-site-grouppolicy
  IPSec-attributes tunnel-group 65.123.23.194
  pre-shared-key *.
  remote access of type tunnel-group Vital access to the network
  tunnel-group Vital access to the network general-attributes
  Access to distance-address pool
  Group Policy - by default-state civilian access to the network
  tunnel-group Vital access to the network ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:a080b1759b57190ba65d932785ad4967
  : end

  can you confirm if we have the exact reflection of crypto acl at the other end

  I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network

  can you please confirm that

  also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0