ASA 5505 Tunnel No. traffic

Similar Questions

• Client VPN und Cisco asa 5505 tunnel work but no traffic

  Hi all

  I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

  I have the following problem:

  I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

  To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

  Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

  After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

  I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

  What I did wrong. Could someone let me know what I have to do today.

  With hope for your help Dimitri.

  ASA configuration after reset and basic configuration: works to the Internet from within the course.

  : Saved

  : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

  !

  ASA Version 8.2 (2)

  !

  ciscoasa hostname

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE client vpdn group home

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 194.25.0.60

  Server name 194.25.0.68

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

  inside_access_in list extended access deny ip any any debug log

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

  homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location 192.168.0.0 255.255.0.0 inside

  ASDM location 192.168.10.0 255.255.255.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group home request dialout pppoe

  VPDN group House localname 04152886790

  VPDN group House ppp authentication PAP

  VPDN username 04152886790 password 1

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  TFTP server 192.168.1.5 inside c:/tftp-root

  WebVPN

  Group Policy inner residential group

  attributes of the strategy of group home group

  value of 192.168.1.1 DNS server

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list homegroup_splitTunnelAcl

  username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

  user01 username attributes

  VPN-strategy group home group

  tunnel-group home group type remote access

  attributes global-tunnel-group home group

  address homepool pool

  Group Policy - by default-homegroup

  tunnel-group group residential ipsec-attributes

  pre-shared-key ciscotest

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

  : end

  Hello

  Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

  If you connect via VPN, check the following:

  1. the tunnel is established:

  HS cry isa his

  Must say QM_IDLE or MM_ACTIVE

  2 traffic is flowing (encrypted/decrypted):

  HS cry ips its

  3. Enter the command:

  management-access inside

  And check if you can PING the inside ASA VPN client IP.

  4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

  Federico.

• Site2Site VPN ASA 5505 - allow established traffic

  Hello

  I have an ikev1/Ipsec tunnel between two ASA.

  Network with local 10.31.0.0/16

  The other network with local 172.21.0.0/24

  But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

  (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

  Best regards, Steffen.

  Hello

  If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

  The ASA has the following global configuration, which is the default if you don't the have not changed

  Sysopt connection permit VPN

  This show CUSTOMARY in CLI configuration given above is the default setting.

  You can check this with the command

  See the race all the sysopt

  This will list even the default setting

  Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

  What you could do is to insert the following configuration

  No vpn sysopt connection permit

  What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

  If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

  So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

  • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
  • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
  • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

  Hope this made sense and helped

  Think about scoring the answer as the answer if it answered your question.

  Naturally ask more if necessary

  -Jouni

• Cisco ASA 5505 site for multiple subnet of the site.

  Hello. I need help to configure my cisco asa 5505.

  I set up a VPN between two ASA 5505 tunnel

  Site 1:

  Subnet 192.168.77.0

  Site 2:

  Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

  What I need help:

  Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

  And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

  Vlan480 is used for phones. In vlan480, we have a PABX.

  Is this possible to do?

  Any help would be much appreciated!

  Config site 2:

  : Saved

  :

  ASA Version 7.2 (2)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  names of

  name 192.168.1.250 DomeneServer

  name of 192.168.1.10 NotesServer

  name 192.168.1.90 Steadyily

  name 192.168.1.97 TerminalServer

  name 192.168.1.98 eyeshare w8

  name 192.168.50.10 w8-print

  name 192.168.1.94 w8 - app

  name 192.168.1.89 FonnaFlyMedia

  !

  interface Vlan1

  nameif Vlan1

  security-level 100

  IP 192.168.200.100 255.255.255.0

  OSPF cost 10

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 79.x.x.226 255.255.255.224

  OSPF cost 10

  !

  interface Vlan400

  nameif vlan400

  security-level 100

  IP 192.168.1.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan450

  nameif Vlan450

  security-level 100

  IP 192.168.210.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan460

  nameif Vlan460-SuldalHotell

  security-level 100

  IP 192.168.2.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan461

  nameif Vlan461-SuldalHotellGjest

  security-level 100

  address 192.168.3.1 IP 255.255.255.0

  OSPF cost 10

  !

  interface Vlan462

  Vlan462-Suldalsposten nameif

  security-level 100

  192.168.4.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan470

  nameif vlan470-Kyrkjekontoret

  security-level 100

  IP 192.168.202.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan480

  nameif vlan480 Telefoni

  security-level 100

  address 192.168.20.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan490

  nameif Vlan490-QNapBackup

  security-level 100

  IP 192.168.10.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan500

  nameif Vlan500-HellandBadlands

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan510

  Vlan510-IsTak nameif

  security-level 100

  192.168.40.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan600

  nameif Vlan600-SafeQ

  security-level 100

  192.168.50.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 500

  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

  switchport mode trunk

  !

  interface Ethernet0/3

  switchport access vlan 490

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passwd encrypted x

  passive FTP mode

  clock timezone WAT 1

  DNS server-group DefaultDNS

  domain default.domain.invalid

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  Lotus_Notes_Utgaaande tcp service object-group

  UT og Frim Notes Description til alle

  area of port-object eq

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ pptp Port object

  EQ smtp port object

  Lotus_Notes_inn tcp service object-group

  Description of the inn og alle til Notes

  port-object eq www

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ smtp port object

  object-group service Reisebyraa tcp - udp

  3702 3702 object-port Beach

  5500 5500 object-port Beach

  range of object-port 9876 9876

  object-group service Remote_Desktop tcp - udp

  Description Tilgang til Remote Desktop

  3389 3389 port-object range

  object-group service Sand_Servicenter_50000 tcp - udp

  Description program tilgang til sand service AS

  object-port range 50000 50000

  VNC_Remote_Admin tcp service object-group

  Description Fra ¥ oss til alle

  5900 5900 port-object range

  object-group service Printer_Accept tcp - udp

  9100 9100 port-object range

  port-object eq echo

  ICMP-type of object-group Echo_Ping

  echo ICMP-object

  response to echo ICMP-object

  object-group service Print tcp

  9100 9100 port-object range

  FTP_NADA tcp service object-group

  Suldalsposten NADA tilgang description

  port-object eq ftp

  port-object eq ftp - data

  Telefonsentral tcp service object-group

  Hoftun description

  port-object eq ftp

  port-object eq ftp - data

  port-object eq www

  EQ object of the https port

  port-object eq telnet

  Printer_inn_800 tcp service object-group

  Fra 800 thought-out og inn til 400 port 7777 description

  range of object-port 7777 7777

  Suldalsposten tcp service object-group

  Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

  EQ Port pop3 object

  EQ smtp port object

  http2 tcp service object-group

  Beach of port-object 81 81

  object-group service DMZ_FTP_PASSIVE tcp - udp

  55536 56559 object-port Beach

  object-group service DMZ_FTP tcp - udp

  20 21 object-port Beach

  object-group service DMZ_HTTPS tcp - udp

  Beach of port-object 443 443

  object-group service DMZ_HTTP tcp - udp

  8080 8080 port-object range

  DNS_Query tcp service object-group

  of domain object from the beach

  object-group service DUETT_SQL_PORT tcp - udp

  Description for a mellom andre og duett Server nett

  54659 54659 object-port Beach

  outside_access_in of access allowed any ip an extended list

  outside_access_out of access allowed any ip an extended list

  vlan400_access_in list extended access deny ip any host 149.20.56.34

  vlan400_access_in list extended access deny ip any host 149.20.56.32

  vlan400_access_in of access allowed any ip an extended list

  Vlan450_access_in list extended access deny ip any host 149.20.56.34

  Vlan450_access_in list extended access deny ip any host 149.20.56.32

  Vlan450_access_in of access allowed any ip an extended list

  Vlan460_access_in list extended access deny ip any host 149.20.56.34

  Vlan460_access_in list extended access deny ip any host 149.20.56.32

  Vlan460_access_in of access allowed any ip an extended list

  vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

  vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

  vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

  Vlan500_access_in list extended access deny ip any host 149.20.56.34

  Vlan500_access_in list extended access deny ip any host 149.20.56.32

  Vlan500_access_in of access allowed any ip an extended list

  vlan470_access_in list extended access deny ip any host 149.20.56.34

  vlan470_access_in list extended access deny ip any host 149.20.56.32

  vlan470_access_in of access allowed any ip an extended list

  Vlan490_access_in list extended access deny ip any host 149.20.56.34

  Vlan490_access_in list extended access deny ip any host 149.20.56.32

  Vlan490_access_in of access allowed any ip an extended list

  Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan1_access_out of access allowed any ip an extended list

  Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan1_access_out deny ip extended access list a whole

  Vlan1_access_out list extended access permit icmp any any echo response

  Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

  Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

  Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan480_access_out of access allowed any ip an extended list

  Vlan510_access_in of access allowed any ip an extended list

  Vlan600_access_in of access allowed any ip an extended list

  Vlan600_access_out list extended access permit icmp any one

  Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_in_1 of access allowed any ip an extended list

  Vlan461_access_in of access allowed any ip an extended list

  Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

  pager lines 24

  Enable logging

  asdm of logging of information

  MTU 1500 Vlan1

  Outside 1500 MTU

  vlan400 MTU 1500

  MTU 1500 Vlan450

  MTU 1500 Vlan460-SuldalHotell

  MTU 1500 Vlan461-SuldalHotellGjest

  vlan470-Kyrkjekontoret MTU 1500

  MTU 1500 vlan480-Telefoni

  MTU 1500 Vlan490-QNapBackup

  MTU 1500 Vlan500-HellandBadlands

  MTU 1500 Vlan510-IsTak

  MTU 1500 Vlan600-SafeQ

  MTU 1500 Vlan462-Suldalsposten

  no failover

  Monitor-interface Vlan1

  interface of the monitor to the outside

  the interface of the monitor vlan400

  the interface of the monitor Vlan450

  the interface of the Vlan460-SuldalHotell monitor

  the interface of the Vlan461-SuldalHotellGjest monitor

  the interface of the vlan470-Kyrkjekontoret monitor

  Monitor-interface vlan480-Telefoni

  the interface of the Vlan490-QNapBackup monitor

  the interface of the Vlan500-HellandBadlands monitor

  Monitor-interface Vlan510-IsTak

  Monitor-interface Vlan600-SafeQ

  the interface of the monitor Vlan462-Suldalsposten

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  vlan400_nat0_outbound (vlan400) NAT 0 access list

  NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

  NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

  NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

  NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

  NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

  NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

  NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

  static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

  static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

  static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

  static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

  static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

  static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

  static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

  static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

  static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

  static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

  (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

  static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

  static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

  Access-group interface Vlan1 Vlan1_access_out

  Access-group outside_access_in in interface outside

  Access-group outside_access_out outside interface

  Access-group vlan400_access_in in the vlan400 interface

  vlan400_access_out group access to the interface vlan400

  Access-group Vlan450_access_in in the Vlan450 interface

  Access-group interface Vlan450 Vlan450_access_out

  Access-group interface Vlan460-SuldalHotell Vlan460_access_in

  Access-group interface Vlan460-SuldalHotell Vlan460_access_out

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

  Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

  vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

  access to the interface vlan480-Telefoni, vlan480_access_out group

  Access-group interface Vlan490-QNapBackup Vlan490_access_in

  Access-group interface Vlan490-QNapBackup Vlan490_access_out

  Access-group interface Vlan500-HellandBadlands Vlan500_access_in

  Access-group interface Vlan500-HellandBadlands Vlan500_access_out

  Access-group interface Vlan510-IsTak Vlan510_access_in

  Access-group interface Vlan510-IsTak Vlan510_access_out

  Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

  Access-group Vlan600_access_out interface Vlan600-SafeQ

  Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

  Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

  Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  x x encrypted privilege 15 password username

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.210.0 255.255.255.0 Vlan450

  http 192.168.200.0 255.255.255.0 Vlan1

  http 192.168.1.0 255.255.255.0 vlan400

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 20 match address outside_20_cryptomap_1

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 62.92.159.137

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  ISAKMP crypto enable vlan400

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 62.92.159.137 type ipsec-l2l

  IPSec-attributes tunnel-group 62.92.159.137

  pre-shared-key *.

  Telnet 192.168.200.0 255.255.255.0 Vlan1

  Telnet 192.168.1.0 255.255.255.0 vlan400

  Telnet timeout 5

  SSH 171.68.225.216 255.255.255.255 outside

  SSH timeout 5

  Console timeout 0

  dhcpd update dns both

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

  !

  dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

  dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

  dhcpd option 3 ip 192.168.1.1 interface vlan400

  vlan400 enable dhcpd

  !

  dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

  dhcpd ip interface 192.168.210.1 option 3 Vlan450

  enable Vlan450 dhcpd

  !

  dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

  dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

  dhcpd enable Vlan460-SuldalHotell

  !

  dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

  dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

  dhcpd enable Vlan461-SuldalHotellGjest

  !

  dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

  interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

  dhcpd enable vlan470-Kyrkjekontoret

  !

  dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

  !

  dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

  dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

  !

  dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

  dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

  dhcpd enable Vlan500-HellandBadlands

  !

  dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

  dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

  Vlan510-IsTak enable dhcpd

  !

  dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

  Vlan600-SafeQ enable dhcpd

  !

  dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

  interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

  interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

  Vlan462-Suldalsposten enable dhcpd

  !

  !

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  !

  context of prompt hostname

  Cryptochecksum:x

  : end

  Site 1 config:

  : Saved

  :

  ASA Version 7.2 (4)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  passwd encrypted x

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.77.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE Telenor customer vpdn group

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 15

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain default.domain.invalid

  outside_access_in list extended access permit icmp any any disable log echo-reply

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  Enable http server

  http 192.168.77.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 79.160.252.226

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.77.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group Telenor request dialout pppoe

  VPDN group Telenor localname x

  VPDN group Telenor ppp authentication chap

  VPDN x x local store password username

  dhcpd outside auto_config

  !

  dhcpd address 192.168.77.100 - 192.168.77.130 inside

  dhcpd dns 192.168.77.1 on the inside interface

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

  dhcpd allow inside

  !

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

  !

  tunnel-group 79.160.252.226 type ipsec-l2l

  IPSec-attributes tunnel-group 79.160.252.226

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:x

  : end

  Hello

  The addition of a new network to the existing VPN L2L should be a fairly simple process.

  Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

  Looking at your configurations above it would appear that you need to the following configurations

  SITE 1

  • We add the new network at the same time the crypto ACL and ACL NAT0

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

  SITE 2

  • We add new ACL crypto network
  • We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration

  outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  Comment by VLAN480-NAT0 NAT0 for VPN access-list

  access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

  These configurations should pretty much do the trick.

  Let me know if it worked

  -Jouni

• ASA 5505 Split Tunneling configured but still all traffic Tunneling

  Hello

  I installed an ASA 5505 running 8.3.2 and Cisco AnyConnect Client 2.5.2017.

  There are the DefaultRAGroup and a newly configured Group called SplitTunnelNets.

  I have 1 internal subnet (192.168.223.0/24) which has a matching ACL/AS configured on the DefaultRAGroup and the custom group policy called SSLClientPolicy.

  When I start the VPN with the ASA, I can indeed reach internal resources, but when I look at the routing table, I see a new default gateway route 0.0.0.0 / 0-> 192.168.25.2 (that is in the IP pool) with a metric of 2.  The default route before the start of the session AnyConnect now has a higher metric, so the 192.168.25.2 next hop is a priority.

  I don't see the routes in the routing table for 192.168.223.0/24 as I expect to see.  In the diagnosis of AnyConnect, I see that 0.0.0.0/0 is the policy applied to the client.

  Here's my setup.  Please tell me if you see something that I'm missing.

  ASA 8.3 Version (2)
  !
  host name asa

  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.223.254 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP x.x.x.x 255.255.255.240
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  boot system Disk0: / asa832 - k8.bin
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS lookup field inside
  DNS server-group DefaultDNS
  Server name 192.168.223.41
  domain Labs.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  vpn-client-net network object
  255.255.255.0 subnet 192.168.25.0
  network of the internal net object
  192.168.223.0 subnet 255.255.255.0
  the DM_INLINE_NETWORK_1 object-group network
  internal-net network object
  network-vpn-client-net object
  the DM_INLINE_NETWORK_2 object-group network
  internal-net network object
  network-vpn-client-net object
  SplitTunnelNets to access extensive ip list allow any 192.168.223.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  mask 192.168.25.1 - 192.168.25.50 255.255.255.0 IP local pool SSLClientPool
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ASDM image disk0: / asdm - 635.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, all) static source internal-net net internal static destination vpn client vpn client-Net
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Labs-AAA protocol ldap LDAP-server
  AAA-server Lab-LDAP (inside) host 192.168.223.41
  Server-port 636
  LDAP-base-dn dc = labs, dc = com
  LDAP-scope subtree
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn [email protected] / * /
  enable LDAP over ssl
  microsoft server type
  Enable http server
  http 192.168.223.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto ca trustpoint ASDM_TrustPoint0
  registration auto

  sslvpnkeypair key pair
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint1
  ASDM_TrustPoint1 key pair
  Configure CRL
  string encryption ca ASDM_TrustPoint0 certificates

  Telnet 192.168.223.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 192.168.223.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  dhcpd outside auto_config
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP 192.5.41.41 Server
  NTP 192.5.41.40 Server
  SSL-trust outside ASDM_TrustPoint1 point
  WebVPN
  allow outside
  No anyconnect essentials
  SVC disk0:/anyconnect-win-2.5.2017-k9.pkg 1 image
  SVC disk0:/anyconnect-macosx-i386-3.0.0629-k9.pkg 2 image
  Picture disk0:/anyconnect-linux-3.0.0629-k9.pkg 3 SVC
  enable SVC
  tunnel-group-list activate
  internal SSLClientPolicy group strategy
  attributes of Group Policy SSLClientPolicy
  value of server DNS 192.168.223.41
  VPN-tunnel-Protocol svc
  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list SplitTunnelNets

  field default value Labs
  split dns value Labs.com
  the address value SSLClientPool pools
  WebVPN
  SVC Dungeon-Installer installed
  attributes of Group Policy DfltGrpPolicy
  value of server DNS 192.168.223.41
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list SplitTunnelNets
  coyotelabs.com value by default-field
  type of remote access service
  type tunnel-group SSLClientProfile remote access
  attributes global-tunnel-group SSLClientProfile
  CoyoteLabs-LDAP authentication-server-group
  Group Policy - by default-SSLClientPolicy
  tunnel-group SSLClientProfile webvpn-attributes
  allow group-alias CoyoteLabs
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:95b7ff58b54e02948a14b225eec1a990
  : end

  The split tunnel access list must be standard access-list, not extended access list.

  You must change the following:
  FROM: SplitTunnelNets access-list extended ip to allow all 192.168.223.0 255.255.255.0
  To: SplitTunnelNets standard access list allows 192.168.223.0 255.255.255.0

  You should be able to reconnect again and will be able to access the Internet after you set up the standard access-list split tunnel.

  Hope that helps.

• ASA: S2S Tunnel stops with higher traffic

  Hello

  I have no idea where I have to start solving our problem:

  Site A: ASA 5520/9.2 (4) 5 ~ 20 IPsec tunnels

  Site b: ASA 5505/9.2 (4) 5

  When I do a SSH (or HTTP or any other TCP) session from Site A to any Linux on Site B server, I can connect, but when I do something as a "dmesg" or long "ls - al", the session hooked after 10 to 20 lines. Also HTTP sessions (as a site to set up a printer), smaller Web sites are okay (but slow), more big sites stops with a browser timeout.

  This only happens on one site, all other sites work very well (which have the same config, same OS ASA).

  Just to test, I opened the ssh port to the external IP address on the external interface and it works very well, as well as with the traffic through the tunnel going something wrong.

  Any idea, where do I start debugging?

  Gruss ivo

  PS: How is stupid cloudflare, they check this text and do not allow to write the ls command linux less al, but ls space space space less al works!

  You can twist on the SAA mss using this doc and empty the outside df bit as well. Follow the steps described in the section "VPN encryption error."

  Crypto ipsec df - bit clear-df outdoors

  Let us know how it rates.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• VPN Tunnel access to several subnets ASA 5505

  Greetings,

  We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets.  Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0

  Someone is about to review this setup running and indicate where we have gone wrong.   When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem.  But fail to reach the other two.   Thank you very much.

  Output from the command: 'show running-config '.

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname BakerLofts

  activate kn7RHw13Elw2W2eU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 12

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.254 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 74.204.54.4 255.255.255.248

  !

  interface Vlan12

  nameif Inside2

  security-level 100

  IP address 192.168.10.254 255.255.255.0

  !

  passive FTP mode

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0

  outside_access_in of access allowed any ip an extended list

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0

  Inside2_access_in of access allowed any ip an extended list

  permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  MTU 1500 Inside2

  IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (outside) 0 192.168.3.0 255.255.255.0 outside

  NAT (Inside2) 0-list of access Inside2_nat0_outbound

  NAT (Inside2) 1 0.0.0.0 0.0.0.0

  Access-group outside_access_in in interface outside

  Access-group Inside2_access_in in the interface Inside2

  Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  AAA authentication enable LOCAL console

  AAA authentication LOCAL telnet console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint _SmartCallHome_ServerCA

  Configure CRL

  Crypto ca certificate chain _SmartCallHome_ServerCA

  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130

  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a

  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504

  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269

  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d

  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b

  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65

  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332

  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329

  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f

  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d

  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597

  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc

  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd

  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201

  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868

  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101

  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff

  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777

  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a

  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973

  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403

  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1

  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b

  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603

  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04

  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d

  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101

  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018

  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

  6c2527b9 deb78458 c61f381e a4c4cb66

  quit smoking

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal vpn group policy

  attributes of vpn group policy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list vpn_splitTunnelAcl

  username, password samn aXJbUl92B77AGcc. encrypted privilege 0

  samn attributes username

  Strategy-Group-VPN vpn

  username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa

  username jmulwa attributes

  Strategy-Group-VPN vpn

  jangus Uixpk4uuyEDOu9eu username encrypted password

  username jangus attributes

  Strategy-Group-VPN vpn

  vpn tunnel-group type remote access

  VPN tunnel-group general attributes

  vpn address pool

  Group Policy - by default-vpn

  Tunnel vpn ipsec-attributes group

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  anonymous reporting remote call

  Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

  : end

  I see two problems:

  1. your ASA has not an interior road to the Incas inside networks. You must add:

  Route inside 192.168.2.0 255.255.255.0

  Route inside 192.168.10.0 255.255.255.0

  .. .specifying your gateway address of these networks.

  2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.

• ASA 5505 VPN works great but can't access internet via the tunnel to customers

  We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office.  Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel.  I don't want to use split tunneling.  I use ASDM 6.2.1 for configuration.  Any help is appreciated.  I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error.  Thanks in advance for your time and help!    Jim

  Add a statement of nat for your segment of customer on the external interface

  NAT (outside) - access list

  then allow traffic routing back on the same interface, it is entered in the

  permit same-security-traffic intra-interface

  *

  *

  * more than information can be found here:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...

  On Wednesday, 27 January 2010, at 23:12, jimcanova

• Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)

  Hello

  I'll put up a tunnel vpn site-to-site between two locations.  Both have cisco ASA 5505 running a different version, I'll explain in more detail below.  so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic.  Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand.  I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.

  An IP address of 0.0.0.0 = site
  Site B IP = 1.1.1.1

  A Version of the site = 8.3.1
  Version of the site B = 9.2.3

  __________________________

  _________

  A RACE OF THE SITE CONFIGURATION

  Output of the command: "sh run".

  : Saved
  :
  ASA Version 8.3 (1)
  !
  hostname SDMCLNASA01
  SDMCLNASA01 domain name. LOCAL
  Select 5E8js/Fs7qxjxWdp of encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  !
  interface Vlan1
  nameif inside
  security-level 100
  the IP 192.168.0.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  the IP 0.0.0.0 255.255.255.252
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  DNS lookup field inside
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  SDMCLNASA01 domain name. LOCAL
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network lan_internal object
  192.168.0.0 subnet 255.255.255.0
  purpose of the smtp network
  Home 192.168.0.245
  Network http object
  Home 192.168.0.245
  rdp network object
  Home 192.168.0.245
  network ssl object
  Home 192.168.0.245
  network camera_1 object
  host 192.168.0.13
  network camerahttp object
  host 192.168.0.13
  service object 8081
  source eq 8081 destination eq 8081 tcp service
  Dvr description
  network camera-http object
  host 192.168.0.13
  network dvr-http object
  host 192.168.0.13
  network dvr-mediaport object
  host 192.168.0.13
  object-group Protocol DM_INLINE_PROTOCOL_1
  object-protocol udp
  object-tcp protocol
  object-group Protocol TCPUDP
  object-protocol udp
  object-tcp protocol
  DM_INLINE_TCP_1 tcp service object-group
  EQ port 3389 object
  port-object eq www
  EQ object of the https port
  EQ smtp port object
  DM_INLINE_TCP_2 tcp service object-group
  port-object eq 34567
  port-object eq 34599
  EQ port 8081 object
  permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq smtp
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
  outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
  permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  don't allow no asdm history
  ARP timeout 14400
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  !

  
  network lan_internal object
  NAT dynamic interface (indoor, outdoor)
  purpose of the smtp network
  NAT (all, outside) interface static tcp smtp smtp service
  Network http object
  NAT (all, outside) interface static tcp www www service
  rdp network object
  NAT (all, outside) interface static service tcp 3389 3389
  network ssl object
  NAT (all, outside) interface static tcp https https service
  network dvr-http object
  NAT (all, outside) interface static 8081 8081 tcp service
  network dvr-mediaport object
  NAT (all, outside) interface static 34567 34567 tcp service
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  http server enable 8080
  http 192.168.0.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 outside
  http 71.40.221.136 255.255.255.252 inside
  http 71.40.221.136 255.255.255.252 outside
  http 192.168.0.0 255.255.255.0 outside
  http 97.79.197.42 255.255.255.255 inside
  http 97.79.197.42 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set peer 1.1.1.1
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  dhcpd address 192.168.0.50 - 192.168.0.150 inside
  dhcpd dns 192.168.0.245 209.18.47.62 interface inside
  dhcpd SDMCLNASA01 field. LOCAL inside interface
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:462428c25e9748896e98863f2d8aeee7
  : end

  ________________________________

  SITE B RUNNING CONFIG

  Output of the command: "sh run".

  : Saved
  :
  : Serial number: JMX1635Z1BV
  : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
  :
  ASA Version 9.2 (3)
  !
  ciscoasa hostname
  activate qddbwnZVxqYXToV9 encrypted password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 1.1.1.1 255.255.255.252
  !
  passive FTP mode
  clock timezone CST - 6
  clock to summer time recurring CDT
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network camera_http object
  host 192.168.1.13
  network camera_media object
  host 192.168.1.13
  network of the NETWORK_OBJ_192.168.0.0_24 object
  192.168.0.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  outside_access_in list extended access permit tcp any any eq 9000
  outside_access_in list extended access permit tcp any any eq www
  outside_access_in list extended access permit icmp any one
  outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ICMP allow any inside
  ICMP allow all outside
  ASDM image disk0: / asdm - 732.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
  NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
  !
  network camera_http object
  NAT (all, outside) interface static tcp www www service
  network camera_media object
  NAT (all, outside) interface static 9000 9000 tcp service
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_cryptomap
  card crypto outside_map 1 peer set 0.0.0.0
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev1 allow outside
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.150 inside
  dhcpd dns 192.168.0.245 209.18.47.61 interface inside
  dhcpd SDPHARR field. LOCAL inside interface
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol
  internal GroupPolicy_0.0.0.0 group strategy
  attributes of Group Policy GroupPolicy_0.0.0.0
  VPN-tunnel-Protocol ikev1, ikev2
  tunnel-group 0.0.0.0 type ipsec-l2l
  tunnel-group 0.0.0.0 ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  !
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
  : end

  Sorry my mistake.

  Delete this if it's still there

  card crypto external_map 1 the value reverse-road

  Add this to both sides

  card crypto outside_map 1 the value reverse-road

  Sorry about that.

  Mike

• ASA - Tunnel all traffic, allow rays to communicate with each other

  Well, I hope someone can help me with this headache! Switching to employ a PIX and VPN 3005 concentrator Office at home in an ASA5510 for firewall and IPSEC tunnels. It is pretty much a

  • VPN on a stick, multiple rays.
  • All traffic sent by tunnel
  • Internet access through main office (using the web filter) of
  • VOIP to VOIP between rays
  • All departments are using the clients VPN 3005 HW or ASA 5505 s

  HEADQUARTERS: 10.0.0.0/24

  Speaks 1: 192.168.11.0 / 24

  Speaks 2: 192.168.12.0 / 24

  Speaks 3: 192.168.13.0 / 24

  -continues to 192.168.31.0 / 24

  Spoke with the current configuration, 1 can communicate with all the resources in the home, office and Internet integrated properly checked by a tracert. However, the rays cannot communicate with each other. This is required for VOIP traffic, when all TALK TALK calls are made (sites).

  Logging information when talk of talks initiated icmp:

  • No group of translation found for icmp src, dst outside: 192.168.31.1 inside: 192.168.11.1 (type 8, code 0)

  If I remove the nat (outside) 1 192.168.0.0 255.255.00 - rays will begin to respond to each other, but then the rays cannot tunnel through the Home Office Internet traffic. My brain is so scrambled after the cramming of VPN configurations for these days, so I hope someone has an idea. I've always used concentrators 3005, so it's a little different! In the search for documentation for this configuration, I was surprised that this isn't a most common topology. It seems that this article would (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml), but there is no rays! In any case, I'm sure this has something to do with NAT rules and perhaps who need access for traffic list speaks of talking.

  =============================================

  ASA Version 8.2 (1)
  !
  hostname asa5510

  interface Ethernet0/0
  Speed 100
  full duplex
  nameif outside
  security-level 0
  IP address 97.65.x.x 255.255.255.224

  interface Ethernet0/1
  Speed 100
  full duplex
  nameif inside
  security-level 100
  IP 10.0.0.40 255.255.0.0

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  the DM_INLINE_NETWORK_1 object-group network
  object-network 10.0.0.0 255.255.0.0

  object-network 192.168.0.0 255.255.0.0

  access-list sheep extended ip 10.0.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0

  Allow Access-list extended wccp servers ip host 10.0.0.83 a

  Redirect traffic extended access-list deny ip any object-group DM_INLINE_NETWORK_1

  Redirect traffic scope permitted any one ip access-list

  Global 1 interface (outside)
  NAT (outside) 1 192.168.0.0 255.255.0.0
  NAT (inside) 0 access-list sheep
  NAT (inside) 1 10.0.0.0 255.255.0.0

  Route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
  Route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
  Route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
  Route inside 192.168.3.0 255.255.255.0 10.0.0.1 1

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto ipsec df - bit clear-df outdoors

  Crypto-map dynamic dynmap 1 transform-set RIGHT

  map mymap 65535-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  crypto isakmp identity address

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  management-access inside

  a basic threat threat detection

  no statistical access list - a threat detection
  no statistical threat detection tcp-interception

  WCCP web cache redirect-list Redirect-traffic group-list password xxxxxxx wccp-servers
  WCCP 90 redirect-list traffic Redirect wccp servers group-list password xxxxxxx

  WebVPN

  internal MJHIvpn group strategy

  attributes of Group Policy MJHIvpn
  value of server WINS 10.0.10.1 10.0.10.2
  value of 10.0.10.1 DNS server 10.0.10.2
  allow password-storage
  Split-tunnel-policy tunnelall
  mjhi.local value by default-field
  allow to NEM

  username field-3002 SjfS1Pq2xZGxHicx encrypted password

  attributes of username field-3002
  VPN-access-hour no
  VPN - 250 simultaneous connections
  VPN-idle-timeout no
  VPN-session-timeout no
  Protocol-tunnel-VPN IPSec
  allow password-storage
  type of remote access service

  remote access to field tunnel-group type

  General-field tunnel-group attributes
  Group Policy - by default-MJHIvpn

  IPSec-attributes of tunnel-group field
  pre-shared-key *.

  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the they
  inspect the icmp
  !
  global service-policy global_policy

  Hello Ala,

  In Act got to be with the Nat configuration.

  So basically you want to tunnel the traffic on the rays to communicate with each other.

  OK, it would be with a nat 0 with the access list with the corresponding traffic outside.

  Also on the crypto ACL for each site configuration, you must add an entry for the traffic of other offices.

  I hope that I have explained myself.

  Have a good

  Julio

  Note all useful posts!

• Block the specific IP traffic in ASA 5505

  Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?

  config script is

  transparent firewall

  hostname xxyyASA

  Select msi14F/SlH4ZLjHH of encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  Description - the Internet-

  switchport access vlan 2

  !

  interface Ethernet0/1

  Description - connected to the LAN-

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  Bridge-Group 1

  security-level 100

  !

  interface Vlan2

  nameif outside

  Bridge-Group 1

  security-level 0

  !

  interface BVI1

  Description - for management only-

  IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy

  !

  passive FTP mode

  network of the WWW-SERVER-OBJ object

  Home xxx.yyy.zzz.jjj

  Description - webserver-

  WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group

  Description - Services published on the WEB server-

  WWW-SERVER-SERVICES-UDP-OBJ udp service object-group

  Description - Services published on the WEB server - UDP

  Beach of port-object 221 225

  1719-1740 object-port Beach

  OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306

  OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet

  OUTSIDE-IN-ACL scopes allowed icmp an entire access list

  OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

  access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306

  OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

  We need to block access of host say 64.15.152.208

  Just need the best step to follow and block access, without affecting the service or other host

  Thank you

  Insert a line like:

  OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all

  in front of your 3rd line "... to enable icmp a whole."

  If you have many of them, maybe do:

  object-group network blacklist

  host of the object-Network 64.15.152.208

  network-host another.bad.ip.here object

  object-network entire.dubious.subnet.here 255.255.255.0

  ...

  OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all

  If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.

  Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.

  -Jim Leinweber, WI State Lab of hygiene

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Write syslog to ASA 5505 VPN tunnel on syslog server?

  Hello

  Is it possible to let the ASA 5505 write syslog messages to a syslog server on the core network where the ASA 5550 is? (on the ipsec tunnel?)

  I tried this. The tunnel is up, but I get the message from routing could not locate the next hop for the NP (ASA 5505 ip) udp inside: (ip of the syslog server).

  THX,

  Marc

  MJonkers,

  I would suggest that you configure inside interface as the interface for management access. Include IP and IP address NAT syslog server interface inside 0 ACL and ACL crypto.

  You can order the "access management" when you want to run an ASA inside of interface through the VPN 7.2 below command reference:

  http://www.Cisco.com/en/us/customer/docs/security/ASA/asa72/command/reference/m_72.html#wp1780826

  I am running the VPN configuration on 8.2 and querying SNMP works.

  I hope this helps.

  Thank you

• ASA 5505 transparent mode dosnt pass traffic

  Hi all

  need help

  ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

  ciscoasa # sh ver

  Cisco Adaptive Security Appliance Version 8.2 software (5)

  Version 6.4 Device Manager (5)

  Updated Saturday, May 20, 11 16:00 by manufacturers

  System image file is "disk0: / asa825 - k8.bin.

  The configuration file to the startup was "startup-config '.

  ciscoasa until 55 minutes 31 seconds

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

  1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

  2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

  3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

  4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

  5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

  6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

  7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

  8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

  9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

  10: Int: not used: irq 255

  11: Int: not used: irq 255

  The devices allowed for this platform:

  The maximum physical Interfaces: 8

  VLAN: 3, restricted DMZ

  Internal guests: 10

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  SSL VPN peers: 2

  The VPN peers total: 10

  Double ISP: disabled

  Junction ports VLAN: 0

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes a basic license.

  Registry configuration is 0x1

  Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.2 (5)

  !

  transparent firewall

  ciscoasa hostname

  activate 8eeGnt0NEFObbH6U encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  I haventerface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  interface Vlan1

  nameif inside

  security-level 100

  !

  interface Vlan2

  nameif outside

  security-level 0

  !

  passive FTP mode

  outs_in of access allowed any ip an extended list

  outs_in list extended access permit icmp any one

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  no ip address

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  outs_in access to the interface inside group

  Access-group outs_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

  : end

  ciscoasa #.

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh - access list

  access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

  alert interval 300

  outs_in list of access; 2 elements; hash name: 0xd6c65ba5

  permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

  allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

  ciscoasa #.

  Hello

  Exactly... Good to know it works now.

  Do you know why he needs the IP address (such as a transparent firewall)?

  The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

  We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

  Please check the question as answered, so future users can pull of this

  Julio Carvajal

  Costa Rica

• ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

  Hi all experts

  We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

  I got error syslog 713902 and 713903, how to fix?

  I got the following, when I type "sh crypto isakmp his."

  Type: user role: initiator

  Generate a new key: no State: MM_WAIT_MSG2

  Hugo

  Hello

  This State is reached when the policies of the phase 1 do not correspond to the two ends.

  Please confirm that you have the same settings of phase 1 on both sides with the following commands:

  See the isakmp crypto race

  See the race ikev1 crypto

  Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

  Finally, make sure you have a route suitable for the remote VPN endpoint device.

  Hope that helps.

  Kind regards

  Dinesh Moudgil