ASA 5505 Licensing / clarification of encryption

Hello

I have an ASA 5505 Security more than licenses. The specific entry, that I focus on when I do a 'show' version is:

AnyConnect Premium peer: 25 perpetual
AnyConnect Essentials: 25 perpetual

For my IPSEC IKEV2, I have:

IKEv2 crypto policy 1
aes-256 encryption
integrity sha512
Group 21
FRP sha512
seconds of life 10000

Bringing a L2L VPN, I'm able to establish IPSEC/IKEV2 with DH group 21 without problem.
But when I try to connect a remote client with Cisco Anyconnect, I get the following message:

An IKEv2 remote access connection failed. Attempt to use an encryption without an AnyConnect Premium license of NSA Suite B (Group ECDH) algorithm.

After research, I see that 19 Diffie-Hellman groups + are considered Next Gen NSA algorithms. I guess that I don't have the correct license to support this with the AnyConnect client, so I edited my police ikev2 as follows:

IKEv2 crypto policy 1
14 21 group

My problem is that I still get the same error. Shouldn't the low AnyConnect - negotiate to group 14? And shouldn't the L2L negotiate at the highest possible, group 21?

All advice is appreciated.

When you have licenses for AnyConnect Essentials and premium as ASA you must choose one or the other type for all customers AnyConnect.

We see it in general where a customer started with the Essentials license, then later added Premium. When you do this, you must set up "no anyconnect essentials" in order to use features that require the level of Premium license.

All Essentials customers should continue to work in your case, since the number of authorized users is equal on both types of licenses. On larger devices, licenses Premium can be less CALs Essentials since the former is sold by number of users (and can get very expensive on the larger machines because they are potentially 1000s of users) and the second is a relatively good cheap license which covers all of the device according to its material capacity.

On the 5505 maximum capacity is 25 and you have same number already registered for the premium. (The premium SKU license available for this platform are 10 and 25).

Tags: Cisco Security

Similar Questions

Selection of ASA 5505 license and Smartnet

Hello

We bought an ASA 5505 (ASA5505-BUN-K9) and more recently bought the license to upgrade from 10 to 50 users (L-ASA5505-10-50).

I want to provide remote access to users via AnyConnect - specifically, AnyConnnect under Windows as well as iPhone/iPad and Android. My understanding is that I should buy the Anyconnect Essentials (L-ASA-AC-E-5505) and permits Anyconnect Mobile (L-ASA-AC-M-5505). Is this correct? If I do this, simultaneous remote access VPN connections (via the Anyconnect customers) how the ASA will then support?

In addition, we did not purchase initially Smartnet with this device, but I want to do to access the software updates. Y at - it a document or a site where I can locate the SKU # s Smartnet contracts that would be appropriate with our device? Or could someone provide a few example SKU #?

The output of 'see the version' is below:

Cisco Adaptive Security Appliance Software Version 8.3 (1)

Version 6.3 Device Manager (1)

Updated Friday, March 4, 10 16:56 by manufacturers

System image file is "disk0: / asa831 - k8.bin.

The configuration file to the startup was "startup-config '.

asa1 until dry 42

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

0: Int: internal-Data0/0: the address is 649e.f3b3.c2bb, irq 11

1: Ext: Ethernet0/0: the address is 649e.f3b3.c2b3, irq 255

2: Ext: Ethernet0/1: the address is 649e.f3b3.c2b4, irq 255

3: Ext: Ethernet0/2: the address is 649e.f3b3.c2b5, irq 255

4: Ext: Ethernet0/3: the address is 649e.f3b3.c2b6, irq 255

5: Ext: Ethernet0/4: the address is 649e.f3b3.c2b7, irq 255

6: Ext: Ethernet0/5: the address is 649e.f3b3.c2b8, irq 255

7: Ext: Ethernet0/6: the address is 649e.f3b3.c2b9, irq 255

8: Ext: Ethernet0/7: the address is 649e.f3b3.c2ba, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 50 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: activated perpetual

SSL VPN peers: 2 perpetual

Counterparts in total VPN: 10 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

AnyConnect Essentials: Disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

---

Thank you!

Yes you are right, you must purchase the license key AnyConnect and AnyConnect Mobile, and you can run 25 maximum simultaneous AnyConnect

Here are the compatible Android devices for your reference:

http://www.Cisco.com/en/us/docs/security/vpn_client/AnyConnect/anyconnect25/release/notes/RN-AC2.5-Android.html#wp1159723

For Smartnet, whereby the service level you need, here are a few examples for ASA5505:

-SMARTnet Premium 24 x 7 x 4 (SNTP): SNTP-CON-AS5B50K9

-SMARTnet 8x5xNBD (SWW): CON-SNT-AS5B50K9

ASA 5505 license question

Hello

So I have two asa 5505 routers. Lets say 'router' 50 licenses a user and "router B" has 10. What it boils down to: I have two routers autour. The office where the router B and visa versa will router has.

I wonder how licensing works, is it embedded in the device?

If I copy the current configuration of the router A to router B, router B (the same physical box as before, just with A router config) are always 10 licenses? If I copy the current configuration of the router for A router, router B has should have still 50 licenses, right?

Thank you!

-John

Hi John,.

Licenses are always the serial number specific so even if you change the configs. 10 criticism would be has a license of 10 reviews, regardless of the configuration on it. So yes, even if change you the config, 50 user would remain user 50 and 10 critics would remain 10 reviews.

Hope that helps

Thank you

Varun

NATing my ASA 5505 network private public encryption

Hello community of Cisco.

I was wondering if you could help me on the below question, I have Cisco ASA 5505, which I use the facility for

My tunnels from site to site and we use the private ip address for our areas of encryption, recently our new partner informed

us they no longer accept the use/address ip private for their vpn tunnels, so I tried to use the port-transfer creating a static NAT

field of encryption partner = 72.x.x.x

my public address = 59.x.x.x

My areas of encryption = 192.168.45.5/24

Partner - encryption - field---> mypublic-ipaddress-like port - forwarding---> > my areas of encryption - private Ipaddress

Status of the tunnel is in place but my local network traffic is on the side of partners is not past - partner traffic is visible in the logs.

Thanks for all your help.

Sorry my English broken,

It is better that you have a public IP dedicated for this political static nat, rather than use the same public IP address on the external interface of the ASA.

Upgrade license ASA 5505

Hi guys, currently I use basic ASA 5505-license and what I know are by default it supports only 10 VPN peer and plan to upgrade, so in this case, contact 2 of the seller, and they give me different about 10 peers, I 1 seller provide me ASA5505-SW-10-50 = and 2 seller provide me with L-ASA5505-SEC-PL =. so my question what part number, should I get if I want to spend 10 VPN peer? I thank in advance

ASA5505-SW-10-50 = license only gives you more in-house bot users VPN-peers either. You need the update of the license more than VPN-peers SecPlus (L-ASA5505-SEC-PL =). But who will give more internal users if they are also too small. If you need increase these too, you need these two licenses.

How to accompany the IDS in ASA 5505 and 5520?

Dear All;

We have the following configuration of HW for the ASA 5505 and ASA 5520, we add the functionality of system of detection of Intrusion (IDS) to the two ASA. My question is: what are the modules required to support this function, and what is the deference between IPS and IDS, fact the same Module both the feature?

Part number:	Description	QTY.
ASA5505-BUN-K9	ASA 5505 appliance with SW 10 users, 8 ports, 3DES/AES	1
CON-SNT-AS5BUNK9	SMARTNET 8X5XNBD ASA5505-BUN-K9	1
SF-ASA5505 - 8.2 - K8	ASA 5505 Series Software v8.2	1
CAB-AC-C5	Power supply cord Type C5 U.S.	1
ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	1
ASA5505-PWR-AC	ASA 5505 power adapter	1
ASA5505-SW-10	ASA 5505 10 user software license	1
SSC-WHITE	ASA 5505 hood SSC of the location empty	1
ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	1

Part number:	Description	QTY.
ASA5520-BUN-K9	ASA 5520 appliance with SW HA, 4GE + 1FE, 3DES/AES	2
CON-SNT-AS2BUNK9	SMARTNET 8X5XNBD ASA5520 w/300 VPN Prs 4GE + 1FE3DES/AES	2
ASA5520-VPN-PL	ASA 5520 VPN over 750 IPsec User License (7.0 only)	2
ASA-VPN-CLNT-K9	Cisco VPN Client (Windows Solaris Linux Mac) software	2
SF - ASA - 8.2 - K8	ASA 5500 Series Software v8.2	2
CAB - ACU	Power supply cord (UK) C13 BS 1363 2.5 m	2
ASA-180W-PWR-AC	Power supply ASA 180W	2
ASA5500-BA-K9	ASA 5500 license (3DES/AES) encryption	2
ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Office software	2
SSM-WHITE	ASA/IPS SSM hood of the location	2

Thanks in advance.

Rashed Ward.

Okay, I was not quite correct in my first post.

These modules - modules only available for corresponding models of ASA.

They all can act as IPS (inline mode) or IDS ("Promiscuous" mode), depending on how you configure your policies.

When acting as IPS, ASA redirects all traffic through the module, then all the traffic is inspected and can be dropped inline if a signature is triggered.

When she acts as an ID, ASA a few exemplary traffic is the module for inspection, but the actual traffic is not affected by the module, as it's not inline in this case.

In addition, these modules can be both comdination. That is part of the traffic can be inspected "inline", when some other (more sensitive) traffic can be inspected in promiscuous mode.

To better understand, familiarize themselves with this link:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/modules_ips.html

ASA 5505 host under license limit has been exceeded

I'm receive syslog message 450001 - host license limit has been exceeded.

To see the version on my ASA 5505 (8.0.2), inside hosts are limited to 10. The limit of 10 corresponds to the limit (10) syslog error message.

How is this calculated number of hosts? Show arp represents 6 addresses glued to the inside interface.

Hello

Don't use "show arp", use "local host" instead.

Excerpt from http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/specs.pdf

In routed mode, hosts inside (business and home VLAN) account in the limit only when communicating with the outside (Internet, VLAN).

Internet hosts are not counted toward the limit. Also, guests who initiates the traffic between businesses and home are not counted toward the limit. The interface

partner with the value default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are taken into account in the limit.

In transparent mode, the interface with the smallest number of hosts is counted within the limits of the host. See the show local-host command to view the host

limits.

Kind regards

Dandy

Issue of ASA 5505 VPN licenses

I have three places that I want to connect via vpn site-to-site deployed on three ASA 5505. How is the term 'Peers' in the text of license, affecting my script? Each peer ASA in a solution from site to site, or each transmission of user data in the established tunnel also counted?

Users, passing through the tunnel of site to another are not counted. Only the peers themselves.

ASA 5505 Security Plus license question

Hi all!

I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):

The activation key running is not valid, using the default

......

This platform includes a basic license.

......

Unable to retrieve the activation key permanent flash

I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?

Thank you!!!

-ken

ciscoasa # sh - activation key

Serial number: JMXXXXXXHU

Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

The activation key running is not valid, using the default settings:

The devices allowed for this platform:

The maximum physical Interfaces: 8 perpetual

VLAN: 3 restricted DMZ

Double ISP: Disabled perpetual

Junction VIRTUAL LAN ports: perpetual 0

The hosts on the inside: 10 perpetual

Failover: Disabled perpetual

VPN - A: enabled perpetual

VPN-3DES-AES: disabled perpetual

AnyConnect Premium peers: 2 perpetual

AnyConnect Essentials: Disabled perpetual

Counterparts in other VPNS: 10 perpetual

Total VPN counterparts: 25 perpetual

Shared license: disabled perpetual

AnyConnect for Mobile: disabled perpetual

AnyConnect Cisco VPN phone: disabled perpetual

Assessment of Advanced endpoint: disabled perpetual

Proxy UC phone sessions: 2 perpetual

Proxy total UC sessions: 2 perpetual

Botnet traffic filter: disabled perpetual

Intercompany Media Engine: Disabled perpetual

This platform includes a basic license.

Unable to retrieve the activation key permanent flash.

The permanent activation key flash is the SAME as the key permanent running.

Hi Ken,

If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.

If you have lost the key, you'll want to open a support case to get it retrieved.

Hope that helps.

-Mike

licenses for ASA 5505, site-to-site vpn

Hi, gang,

I've not worked on ASA for a few years, so a little rusty on the issuance of licenses. my client has 5 locations, a few computers at each location. 4 tunnels vpn site-to-site will be implemented, so that 1 Server @ main location of accounting is accessible from other. simple configuration. I wonder if I have to purchase additional licenses? This is the part number of the device that I'm aiming for:

ASA5505-BUN-K9
Cisco ASA 5505 Adaptive Security Appliance 8 ports Fast Ethernet Switch with 10 user licenses

Thank you!

Jonathan

Your license for the VPN is perfectly fine as the Base license supports 10 VPN-peers. The 10 user license is what could restrict more.

And if the 5505 is not yet bought, go directly to the ASA 5506 - X as the 5505 is a legacy device and will probably go little EOS.

Confused about licensing ASA 5505

The ASA 5505 base license not limited somehow how 'inside' subnets you can have if they are configured on a layer 3 switch that is connected to the ASA5505? I know that I can configure only 3 VLAN on the ASA - but I don't think that it forbids me to use several VLANS on my switch...

No it does not limit the number of subnets behind it. According to your user license it will limit the number of users can go through the firewall. A version see show how many users are you licensed it. Also make sure you have all routing in place in your ASA.

ASA 5505 SSL VPN license update

Hi all.

Our ASA 5505 with DATABASE default license allowing only 10 simultaneous vpn sessions (including 2 Anyconnect + IPsec). attached a TXT file with the license information. This Firewall is's use only for vpn access, and we less vpn tunnel vpn IPSec-L2L, anyconnect client SSL and IPSec client access configurations vpn to the top and race walk,.

We are in terms of upgrading vpn license to archive IPSec 10 and 10 Anyconnect and 1 anyconect mobile VPN sessions in time. so my questions are;

1. can I buy "ASA5500-SSL-10 =" accounting and to upgrade our ASA 5505 without having to buy "L-ASA5505-SEC-PL =" license of pus of security.

2. asa use to upgrade only Anyconnect SSL vpn license while keeping 10 vpn IPSec comes with the base license.

Thank you & you expects value comment

Thank you

JCK

1. Yes.

2.Yes.

If you want to keep Clientless SSL VPN you do not want to continue with the addition of the ASA5500-SSL-10 = part. If you can do without client (including the conversion the two existing ones), more economically, you can opt for Security Plus and AnyConnect Essentials licenses. (US$ 800 vs price $1250).

In both cases, the Mobile requires the AnyConnect Mobile (ASA-AC-M-5505) license.

Need SSL for ASA 5505 10 license with basic license - security plus license is necessary?

A salesman told me that one of my clients needs an upgrade to a security plus license before he can ask 10 SSL VPN licenses. I travelled the Cisco's Web site and could not find anything about it either, saying that. Nobody knows what it takes to go? Thank you.

I never installed them on a non - ASA SecPlus, but the documentation clearly indicates that it is supported:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp2141762

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

ASA 5505 transparent mode dosnt pass traffic

Hi all

need help

ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

ciscoasa # sh ver

Cisco Adaptive Security Appliance Version 8.2 software (5)

Version 6.4 Device Manager (5)

Updated Saturday, May 20, 11 16:00 by manufacturers

System image file is "disk0: / asa825 - k8.bin.

The configuration file to the startup was "startup-config '.

ciscoasa until 55 minutes 31 seconds

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

10: Int: not used: irq 255

11: Int: not used: irq 255

The devices allowed for this platform:

The maximum physical Interfaces: 8

VLAN: 3, restricted DMZ

Internal guests: 10

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

SSL VPN peers: 2

The VPN peers total: 10

Double ISP: disabled

Junction ports VLAN: 0

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect Cisco VPN phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

Registry configuration is 0x1

Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

ciscoasa #.

ciscoasa #.

ciscoasa # sh run

: Saved

:

ASA Version 8.2 (5)

!

transparent firewall

ciscoasa hostname

activate 8eeGnt0NEFObbH6U encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

I haventerface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

Shutdown

!

interface Ethernet0/3

Shutdown

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

passive FTP mode

outs_in of access allowed any ip an extended list

outs_in list extended access permit icmp any one

pager lines 24

Within 1500 MTU

Outside 1500 MTU

no ip address

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

outs_in access to the interface inside group

Access-group outs_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH timeout 5

Console timeout 0

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa #.

ciscoasa #.

ciscoasa #.

ciscoasa # sh - access list

access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

alert interval 300

outs_in list of access; 2 elements; hash name: 0xd6c65ba5

permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

ciscoasa #.

Hello

Exactly... Good to know it works now.

Do you know why he needs the IP address (such as a transparent firewall)?

The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

Please check the question as answered, so future users can pull of this

Julio Carvajal

Costa Rica

VPN site-to-site between ASA 5505 and 2911

Hi all

I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.

2911 config:

version 15.2

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

host name 2911

boot-start-marker

Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin

boot-end-marker

Min-length 10 Security passwords

logging buffered 51200 warnings

No aaa new-model

min-threshold queue spd IPv6 62

Max-threshold queue spd IPv6 63

No ipv6 cef

the 5 IP auth-proxy max-login-attempts

max-login-attempts of the IP 5 admission

DHCP excluded-address IP 192.168.10.1 192.168.10.99

DHCP excluded-address IP 192.168.22.1 192.168.22.99

DHCP excluded-address IP 192.168.33.1 192.168.33.99

DHCP excluded-address IP 192.168.44.1 192.168.44.99

DHCP excluded-address IP 192.168.55.1 192.168.55.99

192.168.10.240 IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.22.240 192.168.22.254

DHCP excluded-address IP 192.168.33.240 192.168.33.254

DHCP excluded-address IP 192.168.44.240 192.168.44.254

DHCP excluded-address IP 192.168.55.240 192.168.55.254

desktop IP dhcp pool

import all

network 192.168.33.0 255.255.255.0

router by default - 192.168.33.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

wi - fi IP dhcp pool

import all

network 192.168.44.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.44.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

DMZ IP dhcp pool

import all

network 192.168.55.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.55.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

router by default - 192.168.22.254

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

192.168.10.10 DNS server 202.50.246.41 202.50.246.42

local domain name

-192.168.10.10 NetBIOS name server

h-node NetBIOS node type

IP domain name of domain

name-server IP 192.168.10.10

IP cef

connection-for block 180 tent 3-180

Timeout 10

VLAN ifdescr detail

Authenticated MultiLink bundle-name Panel

Crypto pki token removal timeout default 0

Crypto pki trustpoint TP-self-signed-3956567439

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3956567439

revocation checking no

rsakeypair TP-self-signed-3956567439

TP-self-signed-3956567439 crypto pki certificate chain

certificate self-signed 01 nvram:IOS - Self-Sig #1.cer

license udi pid sn CISCO2911/K9

the FULL_NET object-group network

full range of the network Description

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

object-group network limited

description without servers and router network

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

VTP version 2

password username admin privilege 0 password 7

redundancy

no passive ftp ip

crypto ISAKMP policy 10

BA aes 256

sha512 hash

preshared authentication

ISAKMP crypto key admin address b.b.b.b

invalid-spi-recovery crypto ISAKMP

Crypto ipsec transform-set esp - aes esp-sha-hmac SET

10 map ipsec-isakmp crypto map

the value of b.b.b.b peer

Set transform-set

match address 160

Interface Port - Channel 1

no ip address

waiting-150 to

Interface Port - channel1.1

encapsulation dot1Q 1 native

IP 192.168.11.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.10

encapsulation dot1Q 10

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.22

encapsulation dot1Q 22

IP 192.168.22.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.33

encapsulation dot1Q 33

IP 192.168.33.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.44

encapsulation dot1Q 44

IP 192.168.44.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

Interface Port - channel1.55

encapsulation dot1Q 55

IP 192.168.55.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

interface GigabitEthernet0/0

Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0

no ip address

Shutdown

automatic duplex

automatic speed

interface GigabitEthernet0/1

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/2

Description $ES_LAN$

no ip address

automatic duplex

automatic speed

channel-group 1

interface GigabitEthernet0/0/0

IP address a.a.a.a 255.255.255.224

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

crypto map

IP forward-Protocol ND

no ip address of the http server

23 class IP http access

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0

IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static

IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

NAT_INTERNET extended IP access list

refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255

refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255

permit ip FULL_NET object-group everything

access-list 1 permit 192.168.44.100

access-list 23 allow 192.168.10.7

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

control plan

Line con 0

password password 7

opening of session

line to 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

access-class 23 in

privilege level 15

local connection

entry ssh transport

line vty 5 15

access-class 23 in

privilege level 15

local connection

entry ssh transport

Scheduler allocate 20000 1000

end

The ASA config:

: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1   no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable

ASA:

# show crypto ipsec his

There is no ipsec security associations

# show crypto isakmp his

There are no SAs IKEv1

There are no SAs IKEv2

2911:

#show crypto ipsec his

Interface: GigabitEthernet0/0/0

Tag crypto map: map, addr a.a.a.a local

protégé of the vrf: (none)

local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)

current_peer b.b.b.b port 500

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0

#pkts not unpacked: 0, #pkts decompress failed: 0

Errors of #send 4, #recv errors 0

local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b

Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0

current outbound SPI: 0x0 (0)

PFS (Y/N): N, Diffie-Hellman group: no

SAS of the esp on arrival:

-Other - arrival ah sas:

-More-

-More - CFP sas on arrival:

-More-

-More - outgoing esp sas:

-More-

-More - out ah sas:

-More-

-More - out CFP sas:

Thanks for your time,

Nick

Please add

map Office 2 set transform-set OFFICE ikev1 crypto

If it is not helpful, please enable debug crypto ipsec 255 and paste here.

HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.

ASA 5505 Licensing / clarification of encryption

Similar Questions

Maybe you are looking for