ASA 5505 Cisco 7940 phone and laptop behind it

Similar Questions

• EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

  Hi friends,

  I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

  Please find below the exit of 881 router Cisco:

  YF2_Tbilisi_router #.
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
  * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
  * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
  * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
  * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
  * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
  * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
  * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:31:47.805 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
  * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
  * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
  * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
  * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
  * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
  * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
  * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
  * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:32:48.913 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

  There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

  The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

• 7940 phone AND IP Communicator for Agents?

  We use the IPCC Express 3.5.3. Our call centre agents currently 7940 phones with a 2nd line of the agent. They would like to keep their physical phone and also have IP Communicator on their laptops in case they need to work from home and take calls. Can IP Communcator be installed on their laptops with lines shared for their person and their agent of lines? Can IPCC Express party lines, as long as the RM Jtapi user is associated with the physical phone and the IP Communicator?

  Thoughts? Thank you.

  These URLS should help you:

  http://www.Cisco.com/en/us/products/SW/custcosw/ps1846/products_data_sheet09186a008019ade0.html

  http://www.Cisco.com/en/us/products/SW/voicesw/ps556/prod_tech_notes_list.html

• Client VPN Cisco ASA 5505 Cisco 1841 router

  Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

  My topology is almost as follows

  customer - tunnel - 1841 - ASA - PC

  ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

  Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

  ISAKMP nat-traversal crypto

  Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

• Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)

  Hello

  I'll put up a tunnel vpn site-to-site between two locations.  Both have cisco ASA 5505 running a different version, I'll explain in more detail below.  so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic.  Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand.  I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.

  An IP address of 0.0.0.0 = site
  Site B IP = 1.1.1.1

  A Version of the site = 8.3.1
  Version of the site B = 9.2.3

  __________________________

  _________

  A RACE OF THE SITE CONFIGURATION

  Output of the command: "sh run".

  : Saved
  :
  ASA Version 8.3 (1)
  !
  hostname SDMCLNASA01
  SDMCLNASA01 domain name. LOCAL
  Select 5E8js/Fs7qxjxWdp of encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  the IP 192.168.0.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 0.0.0.0 255.255.255.252
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  DNS lookup field inside
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  SDMCLNASA01 domain name. LOCAL
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network lan_internal object
  192.168.0.0 subnet 255.255.255.0
  purpose of the smtp network
  Home 192.168.0.245
  Network http object
  Home 192.168.0.245
  rdp network object
  Home 192.168.0.245
  network ssl object
  Home 192.168.0.245
  network camera_1 object
  host 192.168.0.13
  network camerahttp object
  host 192.168.0.13
  service object 8081
  source eq 8081 destination eq 8081 tcp service
  Dvr description
  network camera-http object
  host 192.168.0.13
  network dvr-http object
  host 192.168.0.13
  network dvr-mediaport object
  host 192.168.0.13
  object-group Protocol DM_INLINE_PROTOCOL_1
  object-protocol udp
  object-tcp protocol
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  DM_INLINE_TCP_1 tcp service object-group
  EQ port 3389 object
  port-object eq www
  EQ object of the https port
  EQ smtp port object
  DM_INLINE_TCP_2 tcp service object-group
  port-object eq 34567
  port-object eq 34599
  EQ port 8081 object
  permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq smtp
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  !

  
  network lan_internal object
  NAT dynamic interface (indoor, outdoor)
  purpose of the smtp network
  NAT (all, outside) interface static tcp smtp smtp service
  Network http object
  NAT (all, outside) interface static tcp www www service
  rdp network object
  NAT (all, outside) interface static service tcp 3389 3389
  network ssl object
  NAT (all, outside) interface static tcp https https service
  network dvr-http object
  NAT (all, outside) interface static 8081 8081 tcp service
  network dvr-mediaport object
  NAT (all, outside) interface static 34567 34567 tcp service
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  http server enable 8080
  http 192.168.0.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 outside
  http 71.40.221.136 255.255.255.252 inside
  http 71.40.221.136 255.255.255.252 outside
  http 192.168.0.0 255.255.255.0 outside
  http 97.79.197.42 255.255.255.255 inside
  http 97.79.197.42 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set peer 1.1.1.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd address 192.168.0.50 - 192.168.0.150 inside
  dhcpd dns 192.168.0.245 209.18.47.62 interface inside
  dhcpd SDMCLNASA01 field. LOCAL inside interface
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:462428c25e9748896e98863f2d8aeee7
  : end

  ________________________________

  SITE B RUNNING CONFIG

  Output of the command: "sh run".

  : Saved
  :
  : Serial number: JMX1635Z1BV
  : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
  :
  ASA Version 9.2 (3)
  !
  ciscoasa hostname
  activate qddbwnZVxqYXToV9 encrypted password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.252
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network camera_http object
  host 192.168.1.13
  network camera_media object
  host 192.168.1.13
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq 9000
  outside_access_in list extended access permit tcp any any eq www
  outside_access_in list extended access permit icmp any one
  outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 732.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  !
  network camera_http object
  NAT (all, outside) interface static tcp www www service
  network camera_media object
  NAT (all, outside) interface static 9000 9000 tcp service
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 peer set 0.0.0.0
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev1 allow outside
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.150 inside
  dhcpd dns 192.168.0.245 209.18.47.61 interface inside
  dhcpd SDPHARR field. LOCAL inside interface
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol
  internal GroupPolicy_0.0.0.0 group strategy
  attributes of Group Policy GroupPolicy_0.0.0.0
  VPN-tunnel-Protocol ikev1, ikev2
  tunnel-group 0.0.0.0 type ipsec-l2l
  tunnel-group 0.0.0.0 ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
  : end

  Sorry my mistake.

  Delete this if it's still there

  card crypto external_map 1 the value reverse-road

  Add this to both sides

  card crypto outside_map 1 the value reverse-road

  Sorry about that.

  Mike

• which product is right for the ssl vpn: asa 5505 cisco 1841 or

  Hello

  I want to install an outside link management related so that we can ssh to our cisco devices and microsoft RDP toour servers. It's my configuration (based on what I know):

  Internet > DSL modem > ASA 5505 > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  or

  Internet > 1841 with DSL HWIC > management CONSOLES SWITCH > SWITCH CISCO or Windwos Server

  My questions are:

  Should I go for ASA or 1841 router?

  What options is better? and ASA will do the job?

  Are there any technical support prior to purchase of products in Australia? I need technical advice on the choice of the right products, not justs eiling me products.

  Hello

  Its strongly suggested to go with ASA 5505 in the first place, it is supposed to feature for the main functionality of ssl vpn server from 1841 which has this feature to be a vpn server.

  ASDM also gives you the freedom to config box on your own based on your condition.

  regds

• Please give index on configuring vpn site to site on 881 to ASA 5505 cisco router

  Earlier my boss asked me to prepare to implement the VPN site-to site on router Cisco 881 Integrated Services to ASA 5505 router, which is now running on the side of HQ. Someone please give me a hint. I am now learning the pdf file from Cisco that mention how to configure VPN site to site between 1812 Cisco IOS router and router of the ASA 5505 using ASDM V6.1 and SDM V2.5. Cannot find the book for the Cisco 881 device.

  Someone please please suggest me something as soon as POSSIBLE.

  Thank you

  CLI version:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

  ASDM and SDM Version:

  http://www.Cisco.com/en/us/partner/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

• Module of IPS ASA 5505 Cisco ASA-SSC-AIP-5 Auto Update

  Automatic update no longer work after November 14, 2014

  Cisco Intrusion Prevention System, Version 5,0000 E4, SSC-AIP-5

  Error: automatic update has selected a package ([https:[email protected] / * *///swc/esd/11/273556262/guest/IPS-sig-S838-req-E4.pkg) to the cisco.com Locator service, however, the package download failed: the host is not approved. Add TLS certificates approved of the host system.

  Automatic update can work without problem until November 14, 2014.

  I've added welcomes guests of tls trust

  # tls trust-facilitators
  72.163.4.161
  72.163.7.60

  Always faced with the same question

  Understand the Signature Update feature works automatic Cisco IPS

  http://www.Cisco.com/c/en/us/support/docs/security/IPS-sensor-software-version-71/113674-IPS-automatic-signature-update-00.html

  SPI uses the file transfer

  protocol defined in the file download data learned in the server manifest URL (currently using HTTP

  TCP (80)).

  The problem I see is that earlier before 14 nov it fetch the file signature with HTTP (works fine)

  but now, he's trying with HTTPS instead.

  A single session against 72.163.4.161 (have always been the HTTPS)

  A single session against 72.163.7.60, previous HTTP now it uses the HTTPS protocol

  Does anyone have a solution?

  fix.

  the problem with the location service should be set right now and you can continue to use the auto-update http

• ASA 5505 cannot configure FTP and I tried almost everything

  Not sure if my device is faulty or not, but I'm running on a base license and cannot establish an FTP connection for the life of me. Here is my config;

  Thanks in advance...

  ASA Version 7.2 (2)
  !
  ciscoasa hostname
  domain default.domain.invalid
  activate the encrypted password of TGFUt.AsMHJOyury
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  2KFQnbNIdI.2KYOU encrypted passwd
  passive FTP mode
  DNS server-group DefaultDNS
  domain default.domain.invalid
  access-list extended 100 permit tcp any host 192.168.1.110 eq ftp
  access-list extended 100 permit tcp any host 192.168.1.110 eq ftp - data
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 522.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect
  Timeout, uauth 0:05:00 absolute
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Telnet 192.168.1.0 255.255.255.0 inside
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !
  dhcpd address 192.168.1.2 - 192.168.1.33 inside
  dhcpd allow inside
  !

  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:641863a581e04222e46e2ab17a880147
  : end

  Where is the static nat translation, or configuration of port forwarding?

  you have bellows acl lines, these access lists is not yet applied to the external interface of the firewall.

  access-list extended 100 permit tcp any host 192.168.1.110 eq ftp
  access-list extended 100 permit tcp any host 192.168.1.110 eq ftp - data

  How the outside internet hosts are able to connect to a non-public such as the 192.168.1.110 IP address?

  you need little things to fix in your configuration, your external interface is first attributed to dynamic ip for ISPS to provide the public IP seen in your config like:

  interface Vlan2
  nameif outside
  security-level 0
  IP address dhcp setroute
  

  Number 1- because we don't know what address IP of the ISP dynamically given the firewall, you must know what address is provided by the show on the asa show ip interface brief command line and take notes on the IP Vlan2... that Ip address will be the use of a single for hosts on the internet so you can connect to your FTP 192.168.1.110 server.

  Number 2 - because you do not spared a public IP address to use a one-to-one translation NAT for your server ftp within a public IP to the outside address, you must use the keyword interface on your translation of static port and the real access list 100 for the firewall to allow this connection and sends the request to the server ftp inside.

  public static tcp (indoor, outdoor) interface 192.168.1.110 ftp ftp netmask 255.255.255.255
  public static tcp (indoor, outdoor) interface ftp - data 192.168.1.110 ftp - data netmask 255.255.255.255

  Then re - configure acl 100 as below and apply it to the external interface

  access-list extended 100 permit tcp any which interface outside eq ftp
  access-list extended 100 permit tcp any which interface outside eq ftp_data

  Access-group 100 in external interface

  Finally, make sure you have your FTP server is running, don't forget not that from outside you will be using the public IP address you got output show ip interface brief , which will be the IP address that will be used to FTP from the outside to the inside.

• Selection of ASA 5505 license and Smartnet

  Hello

  We bought an ASA 5505 (ASA5505-BUN-K9) and more recently bought the license to upgrade from 10 to 50 users (L-ASA5505-10-50).

  I want to provide remote access to users via AnyConnect - specifically, AnyConnnect under Windows as well as iPhone/iPad and Android.  My understanding is that I should buy the Anyconnect Essentials (L-ASA-AC-E-5505) and permits Anyconnect Mobile (L-ASA-AC-M-5505).  Is this correct?  If I do this, simultaneous remote access VPN connections (via the Anyconnect customers) how the ASA will then support?

  In addition, we did not purchase initially Smartnet with this device, but I want to do to access the software updates.  Y at - it a document or a site where I can locate the SKU # s Smartnet contracts that would be appropriate with our device?  Or could someone provide a few example SKU #?

  The output of 'see the version' is below:

  Cisco Adaptive Security Appliance Software Version 8.3 (1)

  Version 6.3 Device Manager (1)

  Updated Friday, March 4, 10 16:56 by manufacturers

  System image file is "disk0: / asa831 - k8.bin.

  The configuration file to the startup was "startup-config '.

  asa1 until dry 42

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash M50FW016 @ 0xfff00000, 2048KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

  0: Int: internal-Data0/0: the address is 649e.f3b3.c2bb, irq 11

  1: Ext: Ethernet0/0: the address is 649e.f3b3.c2b3, irq 255

  2: Ext: Ethernet0/1: the address is 649e.f3b3.c2b4, irq 255

  3: Ext: Ethernet0/2: the address is 649e.f3b3.c2b5, irq 255

  4: Ext: Ethernet0/3: the address is 649e.f3b3.c2b6, irq 255

  5: Ext: Ethernet0/4: the address is 649e.f3b3.c2b7, irq 255

  6: Ext: Ethernet0/5: the address is 649e.f3b3.c2b8, irq 255

  7: Ext: Ethernet0/6: the address is 649e.f3b3.c2b9, irq 255

  8: Ext: Ethernet0/7: the address is 649e.f3b3.c2ba, irq 255

  9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

  10: Int: not used: irq 255

  11: Int: not used: irq 255

  The devices allowed for this platform:

  The maximum physical Interfaces: 8 perpetual

  VLAN: 3 restricted DMZ

  Double ISP: Disabled perpetual

  Junction VIRTUAL LAN ports: perpetual 0

  The hosts on the inside: 50 perpetual

  Failover: Disabled perpetual

  VPN - A: enabled perpetual

  VPN-3DES-AES: activated perpetual

  SSL VPN peers: 2 perpetual

  Counterparts in total VPN: 10 perpetual

  Shared license: disabled perpetual

  AnyConnect for Mobile: disabled perpetual

  AnyConnect Cisco VPN phone: disabled perpetual

  AnyConnect Essentials: Disabled perpetual

  Assessment of Advanced endpoint: disabled perpetual

  Proxy UC phone sessions: 2 perpetual

  Proxy total UC sessions: 2 perpetual

  Botnet traffic filter: disabled perpetual

  Intercompany Media Engine: Disabled perpetual

  This platform includes a basic license.

  ---

  Thank you!

  Yes you are right, you must purchase the license key AnyConnect and AnyConnect Mobile, and you can run 25 maximum simultaneous AnyConnect

  Here are the compatible Android devices for your reference:

  http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect25/release/notes/RN-AC2.5-Android.html#wp1159723

  For Smartnet, whereby the service level you need, here are a few examples for ASA5505:

  -SMARTnet Premium 24 x 7 x 4 (SNTP): SNTP-CON-AS5B50K9

  -SMARTnet 8x5xNBD (SWW): CON-SNT-AS5B50K9

• Configure an FTP server behind ASA 5505, need some sort of port forwarding

  My company uses a Cisco ASA 5505 Adaptive Security Appliance, and I'm trying to set up an SFTP server which is accessible from the Internet.

  Is it possible to simply configure port forwarding to my FTP port (4610) to the IP with the server, as I would on a simple Linksys router? Or I have to put in place a sort of demilitarized zone?

  Any help would be greatly appreciated.

  No, you do not necessarily have a demilitarized zone, inside works perfectly. I guess you want to use the ip address of the external interface of the ASA for this? If so, it would looks something like this. Where x.x.x.x is the ip address of the inside/private of the ftp server.

  public static 4610 4610 netmask 255.255.255.255 x.x.x.x interface tcp (indoor, outdoor)

  outside_access_in list extended access permit tcp any interface outside eq 4610

  Access-group outside_access_in in interface outside

• Client VPN und Cisco asa 5505 tunnel work but no traffic

  Hi all

  I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

  I have the following problem:

  I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

  To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

  Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

  After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

  I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

  What I did wrong. Could someone let me know what I have to do today.

  With hope for your help Dimitri.

  ASA configuration after reset and basic configuration: works to the Internet from within the course.

  : Saved

  : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

  !

  ASA Version 8.2 (2)

  !

  ciscoasa hostname

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE client vpdn group home

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 194.25.0.60

  Server name 194.25.0.68

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

  inside_access_in list extended access deny ip any any debug log

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

  homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location 192.168.0.0 255.255.0.0 inside

  ASDM location 192.168.10.0 255.255.255.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group home request dialout pppoe

  VPDN group House localname 04152886790

  VPDN group House ppp authentication PAP

  VPDN username 04152886790 password 1

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  TFTP server 192.168.1.5 inside c:/tftp-root

  WebVPN

  Group Policy inner residential group

  attributes of the strategy of group home group

  value of 192.168.1.1 DNS server

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list homegroup_splitTunnelAcl

  username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

  user01 username attributes

  VPN-strategy group home group

  tunnel-group home group type remote access

  attributes global-tunnel-group home group

  address homepool pool

  Group Policy - by default-homegroup

  tunnel-group group residential ipsec-attributes

  pre-shared-key ciscotest

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

  : end

  Hello

  Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

  If you connect via VPN, check the following:

  1. the tunnel is established:

  HS cry isa his

  Must say QM_IDLE or MM_ACTIVE

  2 traffic is flowing (encrypted/decrypted):

  HS cry ips its

  3. Enter the command:

  management-access inside

  And check if you can PING the inside ASA VPN client IP.

  4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

  Federico.

• Cannot connect to internet after connecting to VPN Cisco ASA 5505

  Hi all

  I am an engineer of network, but haven't had any Experinece in the firewall for the moment, I'm under pressure to take care of a ASA 5505 were all VPN and incoming and out of bounds have been set up, recently I've had a few changes and re made the change, but unfortunately, he took some configurations that are ment for VPN now I am facing a problem,

  VPN connection, but impossible to navigate on the internet is my problem, I tried inheriting tunneli Split, but I coudnt get through it seems, I did something in a bad way, I use here for most ASDM,.

  I paste the Configuration for the investigation, although he's trying to help me.

  ASA Version 8.0(4)16 ! hostname yantraind domain-name yantra.intra enable password vD1.re9JLbigXJxz encrypted passwd hVjSWvtgvNN21M./ encrypted names ! interface Vlan2 nameif outside security-level 0 ip address Outside_Interface 255.255.255.240 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 shutdown ! interface Ethernet0/7 switchport access vlan 2 shutdown ! boot system disk0:/asa804-16-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone GMT 0 dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.0.106 name-server 192.168.0.10 domain-name yantra.intra same-security-traffic permit intra-interface object-group service Email_In tcp port-object eq https port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq ftp port-object eq ftp-data port-object eq www object-group service RDP tcp port-object eq 3389 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp traceroute object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service voip udp port-object eq domain object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data access-list outside_access_in extended permit tcp any host  object-group Email_In access-list outside_access_in extended permit tcp any host FTP_Server_Ext object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any host ForSLT eq www access-list outside_access_in extended permit tcp any host Search object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any host IMIPublic eq www access-list outside_access_in extended permit tcp any host eq www access-list outside_access_in extended permit tcp any host SLT_New_Public eq www access-list outside_access_in extended permit object-group TCPUDP any host 202.133.48.68 eq www access-list rvpn_stunnel standard permit 192.168.0.0 255.255.255.0 access-list rvpn_stunnel standard permit 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list nat0 extended permit ip host IT_DIRECT 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended deny object-group TCPUDP host 192.168.0.252 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging console debugging logging buffered debugging logging trap debugging logging history emergencies logging asdm debugging logging host inside 192.168.0.187 logging permit-hostdown logging class ip buffered emergencies mtu inside 1500 mtu outside 1500 ip local pool rvpn-ip 192.168.100.1-192.168.100.25 mask 255.255.255.0 ip verify reverse-path interface inside ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any traceroute outside asdm image disk0:/asdm-61551.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) netmask 255.255.255.255 dns static (inside,outside) FTP_Server_Ext FTP_Server_Int netmask 255.255.255.255 dns static (inside,outside) ForSLT SLT_New netmask 255.255.255.255 static (inside,outside) Search LocalSearch netmask 255.255.255.255 static (inside,outside) IMIPublic IMI netmask 255.255.255.255 static (inside,outside) SLT_New_Public SLT_Local netmask 255.255.255.255 static (inside,outside) netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 202.133.48.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map rvpn_map 65535 set pfs crypto dynamic-map rvpn_map 65535 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer  crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic rvpn_map crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=yantraind proxy-ldc-issuer crl configure crypto ca server shutdown crypto ca certificate chain ASDM_TrustPoint0 certificate f8684749     30820252 308201bb a0030201 020204f8 68474930 0d06092a 864886f7 0d010104     0500303b 31123010 06035504 03130979 616e7472 61696e64 31253023 06092a86     4886f70d 01090216 1679616e 74726169 6e642e79 616e7472 612e696e 74726130     1e170d30 38313231 36303833 3831365a 170d3138 31323134 30383338 31365a30     3b311230 10060355 04031309 79616e74 7261696e 64312530 2306092a 864886f7     0d010902 16167961 6e747261 696e642e 79616e74 72612e69 6e747261 30819f30     0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f6d1d0 d536624d     de9e4a2e 215a3986 98087e65 be9f6c0f b8f6dc3e 151c5603 21afdebe 85b2917b     297b1d1c b3abf5c6 628afbbe dda1ca27 01282aff 6514f62f 2965c87c 8aab0273     ab59dac6 aa9f549b 846d93fd 44c7f84f b29545bb d0db8bbb 060dfbbf 592a15e3     3db126be 541003c4 38754847 0b472e62 d092fec2 d556f9e3 09020301 0001a363     3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403     02018630 1f060355 1d230418 30168014 9f66b685 2ebf0d5a 97a684ba 9a9518ca     a8ed637e 301d0603 551d0e04 1604149f 66b6852e bf0d5a97 a684ba9a 9518caa8     ed637e30 0d06092a 864886f7 0d010104 05000381 81003b49 2a7ee503 79b47792     6ce90453 70cf200e 943eccd7 deab53e0 2348d566 fe6aa8e0 302b922c 12df802d     398674f3 b1bc55f2 fe2646d5 c59689c2 c6693b0f 14081661 bafb233b 1b296708     fc2b6cbb ba1a005e 37073d72 4156b582 4521e673 ba6c7f7d 2d6941c4 9e076c39     73de21b9 712f69ed 7aab4bda 365d7eb3 39c05d27 e2dd   quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 15 ssh version 2 console timeout 0 dhcpd address 192.168.0.126-192.168.0.150 inside dhcpd dns 192.168.0.106 192.168.0.10 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-dns value 192.168.0.106 group-policy rvpn internal group-policy rvpn attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value rvpn_stunnel default-domain value yantra.intra username rreddy password 6p4HjBmf02hqbnrL encrypted privilege 15 username bsai password 41f5/8EINw6VQ5Os encrypted username bsai attributes service-type remote-access username Telnet password U.eMKTkIYZQA83Al encrypted privilege 15 username prashantt password BdrzfvDcOsnHBIdz encrypted username prashantt attributes service-type remote-access username m.shiva password p5YdC3kTJcnceaT/ encrypted username m.shiva attributes service-type remote-access username Senthil password qKYIiJ9NmC8NYvCA encrypted username Senthil attributes service-type remote-access username agupta password p3slrWEH1ye5/P2u encrypted username agupta attributes service-type remote-access username Yogesh password uQ3pfHI2wLvg8B8. encrypted username Yogesh attributes service-type remote-access username phanik password inZN0zXToeeR9bx. encrypted username phanik attributes service-type remote-access username murali password Ckpxwzhdj5RRu2tF encrypted privilege 15 username mgopi password stAEoJodb2CfgruZ encrypted privilege 15 username bill password Z1KSXIEPQkLN3OdQ encrypted username bill attributes service-type remote-access username Shantala password aCvfO5/PcsZc3Z5S encrypted username Shantala attributes service-type remote-access username maheshm password Fry56.leIsT9VHsv encrypted username maheshm attributes service-type remote-access username dhanj password zotUI9D6WWrMAh8T encrypted username dhanj attributes service-type remote-access username npatel password vOfMuOZg0vSkICyF encrypted username npatel attributes service-type remote-access username bmandakini password Y5UZuahgr6vd6ccE encrypted username bmandakini attributes service-type remote-access tunnel-group rvpn type remote-access tunnel-group rvpn general-attributes address-pool rvpn-ip tunnel-group rvpn ipsec-attributes pre-shared-key * tunnel-group  type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * ! class-map global-class match default-inspection-traffic class-map inspection_default ! ! policy-map global_policy policy-map global-policy class global-class   inspect esmtp   inspect sip    inspect pptp   inspect ftp   inspect ipsec-pass-thru ! service-policy global-policy global prompt hostname context Cryptochecksum:7042504fefd0d22ce4de7f6fa4da14fa : end 

  Thanking you in advance

  Hello

  If you want to have Split-tunnelin in use. One you have patterns for.

  Then you will need to fix the configured "private group policy" under the "tunnel - private-group

  tunnel-group private general-attributes

  strategy - by default-private group

  Then reconnect the VPN Client connection and try again.

  After that the VPN Client connection only transmits traffic directed to the LAN on the VPN Client connection and all Internet traffic beyond the VPN connection directly to the Internet through the current connection of the users.

  -Jouni

• ASA 5505 possibly interfere/blocking calls Incound UC560

  ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462

  All,

  We had this problem the phone when we lose connectivity for some reason any.  Here is an example:

  We have an ASA 5505 before our UC560.  Power lost to ASA (power connector from main Board loose) primary did identical backup with config.  The layout-design is the following:

  UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">

  After the passage of the ASAs, incoming calls have been piecemeal.  I can see the traffic on the firewall when the calls log, nothing otherwise.   OS on the device are:

  UC560 - 15.0 XA (1r).

  ASA 5505-4, 0000 38

  Contacted the provider and after calls debugging support have been expire with the 408 SIP error.

  Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.

  So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA.  Here is the config ASA (it's pretty long, sorry):

  Output of the command: "show run".

  : Saved
  :
  : Serial number:
  : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
  :
  ASA 4,0000 Version 38
  !
  XXXXX-CA hostname
  activate the encrypted password of WUGxGkjzJJSPhT9N
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  WUGxGkjzJJSPhT9N encrypted passwd
  names of
  DNS-guard
  192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
  !
  interface Ethernet0/0
  Description-> Internet
  switchport access vlan 2
  !
  interface Ethernet0/1
  Description-> inside
  switchport access vlan 10
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Vlan2
  Description-> Internet<>
  nameif outside
  security-level 0
  address IP XXX.XXX. XXX.242 255.255.255.240
  !
  interface Vlan10
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  !
  exec banner * W A R N I N G *.
  banner exec unauthorised access prohibited. All access is
  banner exec monitored and the intruder may be continued
  exec banner to the extent of the law.
  connection of the banner * W A R N I N G *.
  banner connect unauthorized access prohibited. All access is
  connection banner monitored, and intruders will be prosecuted
  connection banner to the extent of the law.
  Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
  Banner motd this is a private computer system.
  Banner motd, access is allowed only by authorized employees or agents of the
  company banner motd.
  Banner motd system can be used only for the authorized company.
  Banner motd business management approval is required for all access privileges.
  Banner motd, as this system is equipped with a safety system designed to prevent
  Banner motd and attempts of unauthorized access record.
  Banner motd
  Banner motd unauthorized access or use is a crime under the law.
  banner asdm XXXXX Enterprises Inc. $(hostname)
  boot system Disk0: / asa904-38 - k8.bin
  boot system Disk0: / asa904-29 - k8.bin
  passive FTP mode
  clock timezone PST - 8
  clock summer-time recurring PDT
  DNS domain-lookup outside
  permit same-security-traffic intra-interface
  object obj voip network
  10.1.1.0 subnet 255.255.255.0
  network object obj - 192.168.254.0

  
  192.168.254.0 subnet 255.255.255.0
  pool of local addresses of description
  object obj cue-network
  10.1.10.0 subnet 255.255.255.0
  object obj priv-network
  192.168.10.0 subnet 255.255.255.0
  object obj data network
  subnet 10.0.1.0 255.255.255.0
  network object obj - 192.168.0.0
  192.168.0.0 subnet 255.255.255.0
  Description not used
  network object obj - 192.168.1.0
  subnet 192.168.1.0 255.255.255.0
  Description not used
  object obj nj-asa-private-network
  Subnet 192.168.2.0 255.255.255.0
  network obj object -? asa-private-network
  192.168.5.0 subnet 255.255.255.0
  network obj object -? asa-private-network
  192.168.6.0 subnet 255.255.255.0
  network obj object -? -asa - private-network
  subnet 192.168.3.0 255.255.255.0
  network obj object -? asa-priv-networl
  subnet 192.168.4.0 255.255.255.0
  network obj object -? asa-private-network
  192.168.7.0 subnet 255.255.255.0
  object obj-asa-Interior-voip-nic network
  host 10.1.1.1
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  network obj_any-01 object
  subnet 0.0.0.0 0.0.0.0
  network object obj - 0.0.0.0
  host 0.0.0.0
  object obj-vpn-nic network
  Home 192.168.10.20
  object obj XXXX-asa-private-network
  192.168.8.0 subnet 255.255.255.0
  House of XXXX description
  network obj object -? asa-private-network
  192.168.9.0 subnet 255.255.255.0
  object asa inside-network data
  subnet 10.0.1.0 255.255.255.0
  asa data-outside-network object
  subnet XXX.XXX. XXX.240 255.255.255.240
  network of china-education-and-research-network-center object
  Home 202.194.158.191
  Acl explicitly blocked description
  China unicom shandong network item
  60.214.232.0 subnet 255.255.255.0
  Acl explicitly blocked description
  pbx-cue-Interior-nic network object
  Home 10.1.10.2
  pbx-cue-outside-nic network object
  host 10.1.10.1
  telepacific-voip-trunk network object
  Home 64.60.66.250
  Description is no longer used
  us-la-mianbaodianying network object
  Home 68.64.168.46
  Acl explicitly blocked description
  object network cue
  10.1.10.0 subnet 255.255.255.0
  private-network data object
  192.168.10.0 subnet 255.255.255.0
  pbx-outside-data-nic network object
  host 10.0.1.2
  pbx-voip-Interior-nic network object
  host 10.1.1.1
  voip network object
  10.1.1.0 subnet 255.255.255.0
  vpn-server-nic network object
  Home 192.168.10.20
  asa-data-outside-nic network object
  host XXX.XXX. XXX.242
  asa-voip-ctl-outside-nic network object
  host XXX.XXX. XXX.244
  the object 192.168.0.0 network
  192.168.0.0 subnet 255.255.255.0
  Description not used
  the object 192.168.1.0 network
  subnet 192.168.1.0 255.255.255.0
  Description not used
  nj-asa-priv-netowrk network object
  Subnet 192.168.2.0 255.255.255.0
  network of the 192.168.254.0 object
  192.168.254.0 subnet 255.255.255.0
  pool of local addresses of description
  network of the object? -asa - private-network
  subnet 192.168.3.0 255.255.255.0
  network of the object? asa-private-network
  subnet 192.168.4.0 255.255.255.0
  network of the object? asa-private-network
  192.168.5.0 subnet 255.255.255.0
  network of the object? asa-private-network
  192.168.6.0 subnet 255.255.255.0
  network of the object? asa-private-network
  192.168.7.0 subnet 255.255.255.0
  network of the object? asa-private-network
  192.168.9.0 subnet 255.255.255.0
  the XXXX-asa-private-network object network
  192.168.8.0 subnet 255.255.255.0
  network object XXX.XXX. XXX.242
  host XXX.XXX. XXX.242
  service object 47
  tcp source eq eq 47 47 destination service
  object network dvr
  Home 192.168.10.16
  network dvr-nat-tcp8888 object
  Home 192.168.10.16
  network dvr-nat-tcp6036 object
  Home 192.168.10.16
  network dvr-nat-udp6036 object
  Home 192.168.10.16
  dvr-8888 service object
  destination eq 8888 tcp service
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  object-group service dvr-6036-tcp - udp
  port-object eq 6036
  détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
  détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
  access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
  access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
  XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
  XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
  XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
  XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
  inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
  inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
  inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
  inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
  inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
  inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
  inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
  inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
  inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
  inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
  inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
  inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
  inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
  inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
  inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
  inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
  inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
  inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
  inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
  inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
  ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
  ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
  ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
  ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
  ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
  ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
  ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
  ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
  access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
  access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
  allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
  allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
  object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
  object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
  capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
  capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
  object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
  object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
  ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
  access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
  ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
  access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
  access-list out_in note remote access attempted
  out_in list extended access deny ip object China unicom shandong network any4
  access-list out_in note remote access attempted
  out_in list extended access deny ip object we-the-mianbaodianying any4
  out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
  out_in list extended access allow icmp any4 object vpn-server-nic
  out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
  out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
  out_in list extended access allow accord any4 object vpn-server-nic
  out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
  out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
  out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
  out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
  Comment from out_in-HTTPS access outside the access list
  out_in list extended access permitted tcp any4 object data-private-network eq https
  outside_access_in list extended access allow icmp host 192.168.10.20 any4
  access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
  outside_access_in list extended access allowed host any4 object 47 192.168.10.20
  outside_access_in list extended access allow accord any4 host 192.168.10.20
  outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
  outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
  outside_access_in list extended access allowed object dvr-8888 any object dvr
  outside_access_in list extended access allow icmp any4 host 10.1.1.1
  access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
  access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
  access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
  go to list of access outside_access_in note incoming https.
  outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
  pager lines 24
  Enable logging
  exploitation forest-size of the buffer 1048576
  monitor debug logging
  debug logging in buffered memory
  asdm of logging of information
  address record [email protected] / * /
  exploitation forest-address recipient [email protected] / * / level of errors
  exploitation forest flash-bufferwrap
  No registration message 106015
  No message logging 313001
  No registration message 313008
  no logging message 106023
  No message logging 710003
  no logging message 106100
  No message logging 302015
  No message recording 302014
  No message logging 302013
  No message logging 302018
  No message logging 302017
  No message logging 302016
  No message logging 302021
  No message logging 302020
  destination of exports flow inside 192.168.10.20 4432
  Outside 1500 MTU
  Within 1500 MTU
  ICMP unreachable rate-limit 3 burst-size 1
  ICMP allow any response of echo outdoors
  ICMP allow any echo outdoors
  ICMP allow any inaccessible outside
  ICMP permitted host 75.140.0.86 outside
  ICMP allow any inside
  ASDM image disk0: / asdm-715 - 100.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
  NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
  static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
  static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
  static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
  static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
  static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
  NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
  static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
  !
  object obj-asa-Interior-voip-nic network
  NAT XXX.XXX static (inside, outside). XXX.244
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  network obj_any-01 object
  NAT (inside, outside) dynamic obj - 0.0.0.0
  object obj-vpn-nic network
  NAT XXX.XXX static (inside, outside). XXX.254
  network dvr-nat-tcp8888 object
  NAT (inside, outside) interface static 8888 8888 tcp service
  network dvr-nat-tcp6036 object
  NAT (inside, outside) interface static 6036 6036 tcp service
  network dvr-nat-udp6036 object
  NAT (inside, outside) interface static service udp 6036 6036
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
  Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
  Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
  Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication http LOCAL console
  AAA authentication enable LOCAL console
  LOCAL AAA authentication serial console
  AAA authentication LOCAL telnet console
  Enable http server
  http 192.168.10.0 255.255.255.0 inside
  http 10.0.1.0 255.255.255.0 inside
  http 192.168.254.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outdoors
  authentication & encryption v3 private Server SNMP group
  SNMP server group No_Authentication_No_Encryption v3 /noauth
  SNMP-server host inside the 192.168.10.20 community *.
  Server SNMP Ontario, CA location
  SNMP Server contact [email protected] / * /
  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec pmtu aging infinite - the security association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

  -MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
  Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
  Crypto ca trustpoint CAP-RTP-001_trustpoint
  Terminal registration
  Configure CRL
  Crypto ca trustpoint CAP-RTP-002_trustpoint
  Terminal registration
  Configure CRL
  Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
  registration auto
  full domain name no
  name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
  _internal_ctl_phoneproxy_file_SAST_0 key pair
  Configure CRL
  Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
  registration auto
  full domain name no
  name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
  _internal_ctl_phoneproxy_file_SAST_1 key pair
  Configure CRL
  Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
  registration auto
  full domain name no
  name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
  _internal_PP_ctl_phoneproxy_file key pair
  Configure CRL
  Crypto ca trustpoint Cisco-Mfg-CA
  Terminal registration
  Configure CRL
  Crypto ca trustpoint phoneproxy_trustpoint
  registration auto
  full domain name XXXXXXXXXX.com
  name of the object CN = XXXXXX - ASA
  phoneproxy_trustpoint key pair
  Configure CRL
  trustpool crypto ca policy
  string encryption CAP-RTP-001_trustpoint ca certificates
  certificate ca 7612f960153d6f9f4e42202032b72356
  quit smoking
  string encryption CAP-RTP-002_trustpoint ca certificates
  certificate ca 353fb24bd70f14a346c1f3a9ac725675
  quit smoking
  Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
  certificate e1aee24c
  CA
  quit smoking
  Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
  certificate e4aee24c
  quit smoking
  Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
  certificate e8aee24c
  quit smoking
  a string of ca crypto Cisco-Mfg-CA certificates
  certificate ca 6a6967b3000000000003
  quit smoking
  Crypto ca certificate chain phoneproxy_trustpoint
  certificate 83cbe64c
  quit smoking
  Crypto ikev1 allow outside
  IKEv1 crypto policy 5
  preshared authentication
  the Encryption
  md5 hash
  Group 2
  life 86400
  IKEv1 crypto policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 10.0.1.0 255.255.255.0 inside
  SSH 0.0.0.0 0.0.0.0 inside
  SSH timeout 60
  Console timeout 0
  management-access inside

  priority-queue outdoors
  TX-ring-limit of 256
  !
  maximum-session TLS-proxy 24
  !
  !
  TLS-proxy tls_proxy
  _internal_PP_ctl_phoneproxy_file point server trust
  CTL-file ctl_phoneproxy_file
  file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
  !
  Media-termination asdm_media_termination
  address XXX.XXX. XXX.245 outside interface
  address interface inside 10.0.1.245

  !
  Phone-proxy asdm_phone_proxy
  Media-termination asdm_media_termination
  interface address 10.1.1.1 TFTP server on the inside
  TLS-proxy tls_proxy
  no settings disable service
  XXX.XXX proxy server address. Outside the xxx.242 80 interface
  a basic threat threat detection
  threat detection statistics
  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
  NTP server 192.168.10.60 source inside
  internal group myGROUP strategy
  Group myGROUP policy attributes
  VPN-idle-timeout no
  VPN-session-timeout no
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list ezvpn1
  allow to NEM
  XXXXX group policy / internal remote
  attributes of group XXXXX policy / remote
  Ikev1 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
  fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
  username fstorm attributes
  type of remote access service
  username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
  username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
  attributes username cisco
  type of remote access service
  username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu8 attributes
  type of remote access service
  username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
  username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
  username XXXXXU1 attributes
  Strategy Group-VPN-XXXXX / remote
  type of remote access service
  username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu3 attributes
  type of remote access service
  username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu2 attributes
  type of remote access service
  username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu5 attributes
  type of remote access service
  username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu4 attributes
  type of remote access service
  username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu7 attributes
  type of remote access service
  username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
  username XXXXXu6 attributes
  type of remote access service
  tunnel-group XXXXX type remote access / remote
  attributes global-tunnel-group XXXXX / remote
  XXXXX address pool / remote
  Group Policy - by default-XXXXX / remote
  IPSec-attributes tunnel-group XXXXX / remote
  IKEv1 pre-shared-key *.
  type tunnel-group mytunnel remote access
  tunnel-group mytunnel General-attributes
  strategy - by default-group myGROUP
  mytunnel group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  !
  class-card CM-VOICE-SIGNAL
  match dscp af31
  class-map-outside-phoneproxy
  match eq 2443 tcp port
  class-map inspection_default
  match default-inspection-traffic
  Class-map data
  match flow ip destination-address
  match tunnel-group mytunnel
  class-card CM-VOICE
  match dscp ef
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 1024
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the pptp
  inspect the icmp
  class class by default
  Statistical accounting of user
  flow-export-type of event all 192.168.10.20 destination
  outside-policy policy-map
  class outside-phoneproxy
  inspect the thin phone-proxy asdm_phone_proxy
  CM-VOICE class
  priority
  CM-VOICE-SIGNAL class
  priority
  World-Policy policy-map
  !
  global service-policy global_policy
  207.46.163.138 SMTP server
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  HPM topN enable
  Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
  : end

  If someone could give a clue as to what could be the problem, I would appreciate it.

  / / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //

  Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!

  Now, given that your issue is resolved, you must mark the thread as "answered" :)

  Thank you for evaluating useful messages!

• Bluetooth headset with Cisco IP phones

  Hi all

  A client tries to connect a headset bluetooth Plantronics Savi WT/1 t with a Cisco 7940 IP phone and it seems to work very well when he receives a call and press the button 'phone' at the bottom of the phone. However, he wants to be able to walk outside his office and be able to receive calls by pressing the button on his bluetooth headset but the button is not admissible. Is there a way to configure that? I have the impression that the button on the helmet and the helmet on the IP phone button would somehow be synchronized but I don't see how that's possible. Someone has configured an earpiece bluetooth with a Cisco IP phone and have this feature work?

  Thank you for your help in advance.

  Hello Asad,

  To make this work, you would need a number of things;

  -a phone that supports HHC (headset hookswitch control) such as

  Cisco 7942G, 7962G, 7945 G, 7965G, 7975 G

  -the right to work with the Savi Plantronics cable, it would be

  connect to the port on the bottom of the phone and works together with the

  with the HHC funtion (enabled) on the config of the phone in CUCM

  -minimum sr7 CUCM 4.1 (3)

  I can't find the model of Savi, you're connected, but if you could check the exact model

  number/name we could provide more details.

  See you soon!

  Rob