ASA 5505: VPN access to different subnets
Hi All-
I'm trying to understand how to configure our ASA so that remote users can have VPN access to two different subnets (Office LAN and LAN phone). Currently I have 3 VLAN configuration - VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users must be able to access their PC (192.168.1.0/24) and also have access to the office phone system (192.168.254.0/24). Is it still possible? Here are the configurations on our ASA,
Thanks in advance:
ASA Version 8.2 (5)
!
names of
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name phone 192.168.254.0
name 192.168.254.250 PBX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 13
!
interface Vlan1
nameif inside
security-level 100
192.168.1.98 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP X.X.139.79 255.255.255.224
!
interface Vlan3
No nameif
security-level 50
192.168.5.1 IP address 255.255.255.0
!
interface Vlan13
nameif phones
security-level 100
192.168.254.200 IP address 255.255.255.0
!
passive FTP mode
object-group service RDP - tcp
EQ port 3389 object
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
EQ-ssh tcp service object
vpn_nat_inside of access list extensive ip Net-10 255.255.255.224 allow 192.168.1.0 255.255.255.0
access-list extended vpn_nat_inside allowed ip Net-10 255.255.255.224 phones 255.255.255.0
inside_nat0_outbound list extended access permits all ip Net-10 255.255.255.224
inside_access_in of access allowed any ip an extended list
Split_Tunnel_List list standard access allowed Net-10 255.255.255.224
phones_nat0_outbound list extended access permits all ip Net-10 255.255.255.224
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 Mac host everything
pager lines 24
Enable logging
timestamp of the record
record monitor errors
record of the mistakes of history
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 phones
mask IP local pool SSLClientPool-10 10.0.1.1 - 10.0.1.20 255.255.255.128
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global interface (10 Interior)
Global 1 interface (outside)
global interface (phones) 20
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (10 vpn_nat_inside list of outdoor outdoor access)
NAT (phones) 0-list of access phones_nat0_outbound
NAT (phones) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = not - asa .null
pasvpnkey key pair
Configure CRL
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
VPN-sessiondb max-session-limit 10
Telnet timeout 5
SSH 192.168.1.100 255.255.255.255 inside
SSH 192.168.1.0 255.255.255.0 inside
SSH Mac 255.255.255.255 outside
SSH timeout 60
Console timeout 0
dhcpd auto_config inside
!
dhcpd address 192.168.1.222 - 192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
!
a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
enable SVC
tunnel-group-list activate
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
WINS server no
value of 64.238.96.12 DNS server 66.180.96.12
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout no
VPN-session-timeout no
IPv6-vpn-filter no
VPN-tunnel-Protocol svc
group-lock value NO-SSL-VPN
by default no
VLAN no
NAC settings no
WebVPN
SVC mtu 1200
SVC keepalive 60
client of dpd-interval SVC no
dpd-interval SVC bridge no
SVC compression no
attributes of Group Policy DfltGrpPolicy
value of 64.238.96.12 DNS server 66.180.96.12
Protocol-tunnel-VPN IPSec svc webvpn
attributes global-tunnel-group DefaultRAGroup
address-pool SSLClientPool-10
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
NO-SSL-VPN Tunnel-group type remote access
General-attributes of the NO-SSL-VPN Tunnel-group
address-pool SSLClientPool-10
Group Policy - by default-SSLClientPolicy
NO-SSL-VPN Tunnel - webvpn-attributes group
enable PAS_VPN group-alias
allow group-url https://X.X.139.79/PAS_VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege show import at the level 5 exec mode command
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege, level 3 see fashion exec command eigrp
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege see the level 3 exec command mode dynamic filters
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
privilege clear level 3 exec command mode dynamic filters
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
no remote anonymous reporting call
Hello
Loss of connectivity to the LAN is not really supposed all remove this command UNLESS your network is using another device as their gateway to the Internet. In this case configuration dynamic PAT or political dynamics PAT (as you) would make sense because the LAN hosts would see your VPN connection from the same directly connected network users and would be know to traffic before the ASA rather than their default gateway.
So is this just for VPN usage and NOT the gateway on the LAN?
If it is just the VPN device I'd adding this
global interface (phones) 10
He would do the same translation for 'phones' as he does on 'inside' (of course with different PAT IP)
-Jouni
Tags: Cisco Security
Similar Questions
-
ASA 5505 VPN sessions maximum 25?
Hello friend´s
The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:
Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?
Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?
I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?
Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.
Kind regards!
Hi Alex,
The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.
To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.
Find the official documentation for the ASA5505 on the following link:
Rate if helps.
-Randy-
-
On ASA 5505 VPN cannot access remote (LAN)
I have an ASA 5505 upward and running, all static NAT statements I need to forward ports to the internal services such as smtp, desktop remotely and it works very well, however I have set up an IPSEC vpn connection that authenticates to our DC and part works. However, after I connect and cannot ping anything on the local network or access services. I don't know what a NAT statement I have corrected. Here is the config. I really need to get this up and going tomorrow. Thanks for any help.
Tyler
Just remove the line of nat (outside) and ACL outside_nat0_outbound.
And talk about these statements:
IPSec-1 sysopt connection permit... (If it is disabled, you can check with sh run sysopt).
2, crypto isakmp nat traversal 10 or 20
3 no NAT ACL, mention your local subnets as the source and vpn client as the destination.
4, create the other ACL (ST) with different name and source and destination like no nat ACL.
5, then type nat (inside) 0 access-list sheep
6, in the dwgavpn group policy, talk to splittunnel tunnelspecified and mention the tunnel split ACL (ST).
Concerning
-
Problem with ASA 5505 VPN remote access
After about 1 year to have the VPN Client from Cisco connection to an ASA 5505 with no problems, all of a sudden one day it stops working. The customer is able to get a connection to the ASA and browse the local network for only about 30 seconds after the connection. After that, no access is available to the network behind the ASA. I have tried everything I can think of to try to solve the problem, but at this point, I'm just banging my head against a wall. Anyone know what could cause this?
Here is the cfg running of the ASA
----------------------------------------------------------------------------------------
: Saved
:
ASA Version 8.4 (1)
!
hostname NCHCO
enable encrypted password xxxxxxxxxxxxxxx
xxxxxxxxxxx encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa841 - k8.bin
passive FTP mode
network of the NCHCO object
Subnet 192.168.2.0 255.255.255.0
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
network object obj - 192.168.2.64
subnet 192.168.2.64 255.255.255.224
network object obj - 0.0.0.0
subnet 0.0.0.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
the Web server object network
the FINX object network
Home 192.168.2.11
rdp service object
source between 1-65535 destination eq 3389 tcp service
Rdp description
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_nat0_outbound extended access list permit ip object NCHCO 192.168.2.0 255.255.255.0
inside_nat0_outbound extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
permit access list extended ip 0.0.0.0 inside_nat0_outbound 255.255.255.0 192.168.2.64 255.255.255.224
outside_1_cryptomap extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
outside_1_cryptomap_1 extended access list permit ip object NCHCO 192.168.1.0 255.255.255.0
LAN_Access list standard access allowed 192.168.2.0 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
NCHCO_splitTunnelAcl_1 list standard access allowed 192.168.2.0 255.255.255.0
AnyConnect_Client_Local_Print deny ip extended access list a whole
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
outside_access_in list extended access permit tcp any object FINX eq 3389
outside_access_in_1 list extended access allowed object rdp any object FINX
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 649.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source NCHCO destination NCHCO static obj - 192.168.1.0 obj - 192.168.1.0
NAT (inside, all) static source any any destination static obj - 192.168.2.64 obj - 192.168.2.64
NAT (inside, all) source static obj - 0.0.0.0 0.0.0.0 - obj destination static obj - 192.168.2.64 obj - 192.168.2.64
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the FINX object network
NAT (inside, outside) interface static service tcp 3389 3389
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 69.61.228.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http *. **. ***. 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
http 96.11.251.186 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac ikev1 l2tp-transform
IKEv1 crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform ikev1 esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5 ikev1
transport mode encryption ipsec transform-set TRANS_ESP_3DES_MD5 ikev1
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map 10 set transform-set l2tp vpn-transform processing ikev1
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 set transform-set ESP-3DES-SHA ikev1
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto 1 set transform-set ESP-3DES-SHA ikev1 vpn-map
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
Crypto ikev1 allow inside
Crypto ikev1 allow outside
IKEv1 crypto ipsec-over-tcp port 10000
IKEv1 crypto policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
L2TP ipsec VPN-tunnel-Protocol ikev1 ssl-clientless ssl-client
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHCO group policy
NCHCO group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list NCHCO_splitTunnelAcl_1
value by default-field NCHCO.local
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username NCHvpn99 password dhn. JzttvRmMbHsP encrypted
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
IKEv1 pre-shared-key *.
type tunnel-group NCHCO remote access
attributes global-tunnel-group NCHCO
address pool VPN_Pool
Group Policy - by default-NCHCO
IPSec-attributes tunnel-group NCHCO
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:a2110206e1af06974c858fb40c6de2fc
: end
ASDM image disk0: / asdm - 649.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
---------------------------------------------------------------------------------------------------------------
And here are the logs of the Cisco VPN Client when sailing, then is unable to browse the network behind the ASA:
---------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7601 Service Pack 1
Config files directory: C:\Program Files (x 86) \Cisco Systems\VPN Client\
1 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600026
Try to find a certificate using hash Serial.
2 09:44:55.677 01/10/13 Sev = Info/6 CERT / 0 x 63600027
Found a certificate using hash Serial.
3 09:44:55.693 01/10/13 Sev = Info/6 GUI/0x63B00011
RELOADED successfully certificates in all certificate stores.
4 09:45:02.802 10/01/13 Sev = Info/4 CM / 0 x 63100002
Start the login process
5 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
6 09:45:02.802 01/10/13 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
7 09:45:02.802 10/01/13 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
8 09:45:02.818 10/01/13 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
9 09:45:02.865 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
10 09:45:02.896 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
11 09:45:02.896 10/01/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
12 09:45:02.896 10/01/13 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
13 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
14 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
15 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
16 09:45:02.896 01/10/13 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
17 09:45:02.927 01/10/13 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
18 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
19 09:45:02.927 01/10/13 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xDD3B, Remote Port = 0x01F4
20 09:45:02.927 01/10/13 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is NOT behind a NAT device
21 09:45:02.927 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 09:45:02.943 10/01/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 09:45:02.943 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 09:45:02.943 01/10/13 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 09:45:03.037 01/10/13 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
26 09:45:03.037 01/10/13 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
27 09:45:03.037 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
28 09:45:03.037 10/01/13 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
29 09:45:03.037 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
30 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
31 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
32 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
33 09:45:03.083 01/10/13 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
34 09:45:03.083 01/10/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
35 09:45:03.083 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
36 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
37 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="" **.**.***.***="" isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
38 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
39 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
40 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
41 09:45:03.146 01/10/13 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
42 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
43 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
44 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000F
SPLIT_NET #1
= 192.168.2.0 subnet
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
45 09:45:03.146 10/01/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO.local
46 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_UDP_NAT_PORT, value = 0 x 00002710
47 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
48 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = 8.4 (1) Cisco systems, Inc. ASA5505 Version built by manufacturers on Tuesday, January 31, 11 02:11
49 09:45:03.146 01/10/13 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
50 09:45:03.146 01/10/13 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
51 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
52 09:45:03.146 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
53 09:45:03.177 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
54 09:45:03.177 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
55 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
56 09:45:03.177 01/10/13 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 1 second, expiration of adjustment to 86399 seconds now
57 09:45:03.193 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
58 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" qm="" *(hash,="" sa,="" non,="" id,="" id,="" notify:status_resp_lifetime)="" from="">
59 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify is set to 28800 seconds
60 09:45:03.193 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH) to *. **. ***. ***
61 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000059
IPsec Security Association of loading (MsgID = SPI OUTBOUND SPI INCOMING = 0x3EBEBFC5 0xAAAF4C1C = 967A3C93)
62 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000025
OUTGOING ESP SPI support: 0xAAAF4C1C
63 09:45:03.193 01/10/13 Sev = Info/5 IKE / 0 x 63000026
Charges INBOUND ESP SPI: 0x3EBEBFC5
64 09:45:03.193 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
65 09:45:03.521 01/10/13 Sev = Info/6 CVPND / 0 x 63400001
Launch VAInst64 for controlling IPSec virtual card
66 09:45:03.896 01/10/13 Sev = Info/4 CM / 0 x 63100034
The virtual card has been activated:
IP=192.168.2.70/255.255.255.0
DNS = 192.168.2.1, 8.8.8.8
WINS = 0.0.0.0 0.0.0.0
Domain = NCHCO.local
Split = DNS names
67 09:45:03.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 261
68 09:45:07.912 01/10/13 Sev = Info/4 CM / 0 x 63100038
Were saved successfully road to file changes.
69 09:45:07.912 01/10/13 Sev = Info/5 CVPND / 0 x 63400013
Destination mask subnet Gateway Interface metric
0.0.0.0 0.0.0.0 96.11.251.1 96.11.251.149 261
**. **. ***. 255.255.255.255 96.11.251.1 96.11.251.149 100
96.11.251.0 255.255.255.0 96.11.251.149 96.11.251.149 261
96.11.251.149 255.255.255.255 96.11.251.149 96.11.251.149 261
96.11.251.255 255.255.255.255 96.11.251.149 96.11.251.149 261
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 261
192.168.1.3 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 261
192.168.2.0 255.255.255.0 192.168.2.70 192.168.2.70 261
192.168.2.0 255.255.255.0 192.168.2.1 192.168.2.70 100
192.168.2.70 255.255.255.255 192.168.2.70 192.168.2.70 261
192.168.2.255 255.255.255.255 192.168.2.70 192.168.2.70 261
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 96.11.251.149 96.11.251.149 261
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 261
224.0.0.0 240.0.0.0 192.168.2.70 192.168.2.70 261
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 96.11.251.149 96.11.251.149 261
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 261
255.255.255.255 255.255.255.255 192.168.2.70 192.168.2.70 261
70 09:45:07.912 01/10/13 Sev = Info/6 CM / 0 x 63100036
The routing table has been updated for the virtual card
71 09:45:07.912 01/10/13 Sev = Info/4 CM/0x6310001A
A secure connection established
72 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 96.11.251.149. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
73 09:45:07.943 01/10/13 Sev = Info/4 CM/0x6310003B
Look at address added to 192.168.2.70. Current host name: psaserver, current address (s): 192.168.2.70, 96.11.251.149, 192.168.1.3.
74 09:45:07.943 01/10/13 Sev = Info/5 CM / 0 x 63100001
Did not find the smart card to watch for removal
75 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
76 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
77 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0x1c4cafaa in the list of keys
78 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700010
Creates a new key structure
79 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370000F
Adding key with SPI = 0xc5bfbe3e in the list of keys
80 09:45:07.943 01/10/13 Sev = Info/4 IPSEC/0x6370002F
Assigned WILL interface private addr 192.168.2.70
81 09:45:07.943 01/10/13 Sev = Info/4 IPSEC / 0 x 63700037
Configure the public interface: 96.11.251.149. SG: **.**.***.***
82 09:45:07.943 10/01/13 Sev = Info/6 CM / 0 x 63100046
Define indicator tunnel set up in the registry to 1.
83 09:45:13.459 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
84 09:45:13.459 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205276
85 09:45:13.474 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
86 09:45:13.474 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
87 09:45:13.474 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205276, seq # expected is 107205276
88 09:45:15.959 01/10/13 Sev = Info/4 IPSEC / 0 x 63700019
Activate key dating SPI = 0x1c4cafaa key with SPI = 0xc5bfbe3e
89 09:46:00.947 10/01/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
90 09:46:00.947 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205277
91 09:46:01.529 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
92 09:46:01.529 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
93 09:46:01.529 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205277, seq # expected is 107205277
94 09:46:11.952 01/10/13 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO * (HASH, NOTIFY: DPD_REQUEST) to *. **. ***. ***
95 09:46:11.952 01/10/13 Sev = Info/6 IKE/0x6300003D
Upon request of the DPD to *. **. ***. , our seq # = 107205278
96 09:46:11.979 01/10/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
97 09:46:11.979 01/10/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:dpd_ack)="" from="">
98 09:46:11.979 01/10/13 Sev = Info/5 IKE / 0 x 63000040
Receipt of DPO ACK to *. **. ***. seq # receipt = 107205278, seq # expected is 107205278
---------------------------------------------------------------------------------------------------------------
Any help would be appreciated, thanks!
try to refuse the ACL (access-list AnyConnect_Client_Local_Print extended deny ip any one) at the end of the ACL.
-
ASA 5505 VPN established, cannot access inside the network
Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.
After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.
Here is my config:
ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: endThank you
Hello
I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.
I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.
The acl must be:
sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
For nat (inside), you have 2 lines:
NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0Why are you doing this nat (outside)?
NAT (outside) 1 192.168.254.0 255.255.255.0
Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)
Thank you.
PS: Please do not forget to rate and score as good response if this solves your problem.
-
ASA 5505 VPN cannot access inside the host
I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.
framework for configuration below
interface Vlan1
nameif inside
security-level 100
10.1.1.1 IP address 255.255.255.0
IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
Crypto-map dynamic inside_dyn_map 20 set pfs
Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map
inside crypto map inside_map interface
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
global service-policy global_policy
XXXXXXX strategy of Group internal
attributes of the strategy group xxxxxxx
banner value xxxxx Site Recovery
WINS server no
24.xxx.xxx.xx value of DNS server
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelall
by default no
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout no
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
the address value xxxxxx pools
enable Smartcard-Removal-disconnect
the firewall client no
WebVPN
url-entry functions
Free VPN of CNA no
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general attributes
xxxx address pool
Group Policy - by default-xxxx
blountdr group of tunnel ipsec-attributes
pre-shared-key *.
Missing nat exemption for vpn clients. Add the following and you should be good to go.
inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
-
ASA 5505 - remote access VPN to access various internal networks
Hi all
A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x.
Here is the config:
:
ASA Version 8.2 (5)
!
ciscoasa hostname
enable encrypted password xxx
XXX encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 200.190.1.15 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address 255.255.255.0 xxxxxxx
!
exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED
passive FTP mode
access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any
outside_access_in list extended access permit icmp any external interface
access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0
Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0
MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0
access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192
inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 200.190.1.0 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1
Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1
Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1
Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 10443
http server idle-timeout 5
Server of http session-timeout 30
HTTP 200.190.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
(omitted)
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 3600
Telnet timeout 5
SSH 200.190.1.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 5
dhcpd outside auto_config
!
a basic threat threat detection
scanning-threat shun threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal MD_SSL_Gp_Pol group strategy
attributes of Group Policy MD_SSL_Gp_Pol
VPN-tunnel-Protocol webvpn
WebVPN
list of URLS no
disable the port forward
hidden actions no
disable file entry
exploration of the disable files
disable the input URL
internal MD_IPSEC_Tun_Gp group strategy
attributes of Group Policy MD_IPSEC_Tun_Gp
value of banner welcome to remote VPN
VPN - connections 1
VPN-idle-timeout 5
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl
the address value Remote_IPSEC_VPN_Pool pools
WebVPN
value of the RDP URL-list
attributes of username (omitted)
VPN-group-policy MD_IPSEC_Tun_Gp
type of remote access service
type tunnel-group MD_SSL_Profile remote access
attributes global-tunnel-group MD_SSL_Profile
Group Policy - by default-MD_SSL_Gp_Pol
type tunnel-group MD_IPSEC_Tun_Gp remote access
attributes global-tunnel-group MD_IPSEC_Tun_Gp
address pool Remote_IPSEC_VPN_Pool
Group Policy - by default-MD_IPSEC_Tun_Gp
IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp
pre-shared key *.
!
!
context of prompt hostname
: end
The following ACL and NAT exemption ACL split tunnel is incorrect:
MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0
inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192
It should have been:
Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0
access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192
Then 'clear xlate' and reconnect with the VPN Client.
Hope that helps.
-
ASA 5505 VPN remote cannot access with my local network
Hello guys, I have a problem with my asa 5505 remote VPN access to the local network, the VPn connection works well and connected, but the problem is that I can't reach my inside connection network of 192.168.30.x, here's my setup, please can you help me
ASA Version 8.2 (1)
!
!
interface Vlan1
nameif inside
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 155.155.155.10 255.255.255.0
!
interface Vlan5
No nameif
no level of security
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
inside_nat0_outbound list of allowed ip extended access any 192.168.100.0 255.255.255.240
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpn-pool 192.168.100.1 - 192.168.100.10 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
Mull strategy of Group internal
attributes of the Group mull strategy
Protocol-tunnel-VPN IPSec
username privilege 0 encrypted password eKJj9owsQwAIk6Cw xxx
VPN-group-policy Mull
type mull tunnel-group remote access
tunnel-group mull General attributes
address vpn-pool pool
Group Policy - by default-mull
Mull group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Yes, you will need to either configure split tunnel so that internet traffic goes out through your local Internet service provider, GOLD / directed by configuration current you are tunneling all traffic (internet traffic Inc.) to the ASA, then you will need to create NAT for internet traffic.
To set up a tunnel from split:
split-acl access-list allowed 192.168.30.0 255.255.255.0
attributes of the Group mull strategy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split-acl
I hope this helps.
-
No Internet connectivity with ASA 5505 VPN remote access
Hello
I configured ASA 5505 for remote access VPN to allow a remote user to connect to the Remote LAN officce. VPN works well, users can access Office Resource of LAN with sahred etc., but once they have connected to the VPN, they are unable to browse the internet?
Internet navigation stop working as soon as their customer VPN connect with ASA 5505 t, once they are disconnected from VPN, once again they can browse the internet.
Not ASA 5505 blocking browsing the internet for users of VPN? Is there anything else that I need congfure to ensure that VPN users can browse the internet?
I have to configure Split Tunnleing, NATing or routing for VPN users? or something else.
Thank you very much for you help.
Concerning
Salman
Salman
What you run into is a default behavior of the ASA in which she will not route traffic back on the same interface on which he arrived. So if the VPN traffic arrived on the external interface the ASA does not want to send back on the external interface for Internet access.
You have at least 2 options:
-You can configure split tunneling, as you mention, and this would surf the Internet to continue during the use of VPN.
-You can set an option on the ASA to allow traffic back on the same interface (this is sometimes called crossed). Use the command
permit same-security-traffic intra-interface
HTH
Rick
-
ASA 5505 VPN works great but can't access internet via the tunnel to customers
We have an ASA 5505 ASA 8.2.1 running and using IPSec for Remote access clients in the main office. Remote access is a lot of work, with full access to network resources in the main office and the only thing I can't get to work is access to internet through the tunnel. I don't want to use split tunneling. I use ASDM 6.2.1 for configuration. Any help is appreciated. I'm probably missing something simple and it looked so much, I'm probably looking at right beyond the error. Thanks in advance for your time and help! Jim
Add a statement of nat for your segment of customer on the external interface
NAT (outside) - access list
then allow traffic routing back on the same interface, it is entered in the
permit same-security-traffic intra-interface
*
*
* more than information can be found here:
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807...
On Wednesday, 27 January 2010, at 23:12, jimcanova
-
LAN ASA 5505 VPN client access issue
Hello
I'm no expert in ASA and routing so I ask support the following case.
There is a (running on Windows 7) Cisco VPN client and an ASA5505.
The objectives are client can use the gateway remote on SAA for Skype and able to access devices in SAA within the interface.
The Skype works well, but I can't access devices in the interface inside through a VPN connection.
Can you please check my following config and give me any advice to fix NAT or VPN settings?
ASA Version 7.2 (4)
!
ciscoasa hostname
domain default.domain.invalid
activate wDnglsHo3Tm87.tM encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan3
prior to interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
DNS server-group DefaultDNS
domain default.domain.invalid
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any
inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 any
outside_access_in list of allowed ip extended access entire 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
local pool VPNPOOL 10.0.0.200 - 10.0.0.220 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 524.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 10.0.0.0 255.255.255.0
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (outside) 1 10.0.0.0 255.255.255.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd dns xx.xx.xx.xx interface inside
dhcpd allow inside
!
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
value of server DNS 84.2.44.1
DHCP-network-scope no
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
disable the password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
by default no
Split-dns no
Disable dhcp Intercept 255.255.255.255
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 30
disable the IP-phone-bypass
disable the leap-bypass
allow to NEM
Dungeon-client-config backup servers
MSIE proxy server no
MSIE-proxy method non - change
Internet Explorer proxy except list - no
Disable Internet Explorer-proxy local-bypass
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
address pools no
enable Smartcard-Removal-disconnect
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
internal group XXXXXX strategy
attributes of XXXXXX group policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
XXXXXX G910DDfbV7mNprdR encrypted privilege 15 password username
username password encrypted XXXXXX privilege 0 5p9CbIe7WdF8GZF8
attributes of username XXXXXX
Strategy Group-VPN-XXXXXX
username privilege 15 encrypted password cRQbJhC92XjdFQvb XXXXX
tunnel-group XXXXXX type ipsec-ra
attributes global-tunnel-group XXXXXX
address VPNPOOL pool
Group Policy - by default-XXXXXX
tunnel-group ipsec-attributes XXXXXX
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a8fbb51b0a830a4ae823826b28767f23
: end
ciscoasa #.
Thanks in advance!
fbela
config #no nat (inside) 1 10.0.0.0 255.255.255.0< this="" is="" not="">
Add - config #same-Security-permit intra-interface
#access - extended list allowed sheep ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
#nat (inside) 0 access-list sheep
Please add and test it.
Thank you
Ajay
-
ASA 5505 VPN Site to site with several networks
Hello
I have a Cisco ASA 5505 configuration problem and hope you can help me.
Our company created a second facility, which must be connected using VPN to our headquarters.
I used the ASDM "Wizard of Site to site VPN" to create a connection, which works very well with our main network.
Following structure:
Headquarters:
Cisco ASA 5505, firmware 9.1, ASDM version 7.1
Outside: Fixed IP
Inside: IP address of the interface is 192.168.0.1/24 (data network)
Now I have a second network 192.168.1.0/24 (VoIP network), PBX address is 192.168.1.10.
The two networks should be accessible through the VPN.
New installation:
Cisco ASA 5505, firmware 9.1, ASDM version 7.1
Outside: Fixed IP
Inside: IP address of the interface is 192.168.2.1/24
I have already created a connection until a PC of the new plant reaches the data network. For example, a ping from 192.168.2.100 to 192.168.0.100 is possible.
Now, I want to add some VoIP phones to the new facility, which can reach the PBX on 192.168.1.10.
In the link, I have already added the two networks as remote network:
object-group network Testgroup network-object 192.168.0.0 255.255.255.0 network-object 192.168.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip object-group Testgroup object Remote-Network
My problem now is, I don't know what to define as 'Bridge' on my PBX.
I can't use 192.168.0.1 because it's a different subnet. Also, I can not put a second IP 192.168.1.1 to the interface of the ASA.
You have any ideas, how can I accomplish this, so that the two subnets are accessed through the VPN and all devices have a defined gateway?
Could a "Easy VPN Remote" in "Network Mode" you help me?
What is the difference between 'Site-to-site' and 'extended network '?
Kind regards
Daniel condition, look for the solution GmbH
You can optionally configure a new LAN VIRTUAL (VLAN PBX) on the SAA and connect this interface to the voice network.
If you do not have a spare on the ASA port, then Yes, you have a router to route traffic from the PBX to the ASA via the data network.
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Hi all
First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.
The main problem is that when ping devices internal when you are connected to the results are very inconsistent.
Ping 192.168.15.102 with 32 bytes of data:
Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128
Request timed out.
Request timed out.
Request timed out.
We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?
Here is a dump of the configuration:
Output of the command: "show config".
: Saved
: Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013
!
ASA Version 8.2 (5)
!
hostname VPN_Test
activate the encrypted password of D37rIydCZ/bnf1uj
2KFQnbNIdI.2KYOU encrypted passwd
names of
192.168.15.0 - internal network name
DDNS update method DDNS_Update
DDNS both
maximum interval 0 4 0 0
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Description VLAN internal guests
nameif inside
security-level 100
DDNS update hostname 0.0.0.0
DDNS update DDNS_Update
DHCP client updated dns server time
192.168.15.1 IP address 255.255.255.0
!
interface Vlan2
Description of VLAN external to the internet
nameif outside
security-level 0
address IP xx.xx.xx.xx 255.255.255.248
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
Server name 216.221.96.37
Name-Server 8.8.8.8
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
outside_access_in list extended access permit icmp any one
outside_access_in list extended access deny interface icmp outside interface inside
access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all
Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0
inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192
Note to inside_access_in to access list blocking Internet traffic
access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all
Note to inside_access_in to access list blocking Internet traffic
inside_access_in extended access list allow interface ip inside the interface inside
inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192
Note to inside_access_in to access list blocking Internet traffic
access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool
inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow any response of echo outdoors
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.15.192 255.255.255.192
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
inside_access_ipv6_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
255.255.255.0 inside internal network http
http yy.yy.yy.yy 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Sysopt connection timewait
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.15.200 - 192.168.15.250 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.15.101 source inside
prefer NTP server 192.168.15.100 source inside
WebVPN
internal remote group strategy
Group remote attributes policy
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_splitTunnelAcl
username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz
username StockUser attributes
Strategy-Group-VPN remote
tunnel-group type remote access remotely
tunnel-group remote General attributes
address pool VPN_IP_Pool
Group Policy - by default-remote control
tunnel-group remote ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3
Hi Graham,
My first question is do you have a site to site VPN and VPN remote access client.
After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.
And if I understand you are able to connect VPN client, but you not able to access internal resources properly.
I recommend tey and make the following changes.
First remove the following configuration:
NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access
NAT (inside) 1 192.168.15.192 255.255.255.192
You don't need the 1st one and I do not understand the reason for the second
Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.
If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.
Try the changes described above and let me know in case if you have any problem.
Thank you
Jeet Kumar
-
ASA 5505 VPN to IPSec website DOES NOT CONNECT
I spent 2 days already to try to get 2 ASA 5505 to connect by using an IPSec vpn tunnel. I can't understand what im doing wrong, I'm using 192.168.97.0 and 192.168.100.0 as my internal networks that I am trying to connect via a link directly connected on the outside with 50.1.1.1 and 50.1.1.2 interfaces such as addresses (all 24). I also tried with and without active NAT. Here is for both of the ASA configs, the vpn config was conducted by the ASDM, but I also tried the approach of the command-line without success. I followed various guides to the letter online, starting with an empty config and factory default. I also tried the IOS 8.4.
ASA 1 Config ASA 8.3 Version (2)
!
VIC hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.97.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa832 - k8.bin
passive FTP mode
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:4745f7cd76c82340ba1e7920dbfd2395
Config ASA2 ASA 8.3 Version (2)
!
hostname QLD
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 50.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
passive FTP mode
network of the SITEA object
192.168.97.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
outside_1_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 object SITEA
pager lines 24
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 static destination SITEA SITEA
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.100.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 50.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 50.1.1.1 type ipsec-l2l
IPSec-attributes tunnel-group 50.1.1.1
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d987f3446fe780ab5fbb9d4213b3adff
: end
Hello Mitchell,
Thanks for letting us know the resolution of this topic.
Please answer the question as answered so future users can learn from this topic.
Kind regards
Julio
Maybe you are looking for
-
The reactivation of several disabled
I lost my Skype number some time ago and he would like to return. I don't think that it is used by anyone. How would I go to do this?
-
Implemented ICS update issues, Questions and advice (official)
Welcome to the holders of Xoom under ICS colleagues, Please use this thread to report issues, ask questions, provide advice or other functional response. This thread isn't supposed to be a place to provide lists of wishes for future features or updat
-
Date and time on the graph (read from Excel)
Hi everone, I m new to this forum.I'm stuck with one of my projects.The program is, READ the excel file and it draw on the graph.Registered solar energy output is doing, basically I'm trying to see the chart of the outputs and readings at different t
-
How to add the printer in Photosmart 7525 wireless network to my laptop?
I have already added my new printer Photosmart 7525 to my home network. It is installed via USB with the complete HP 7525 software (downloaded from HP) on my HP desktop computer that is running Windows 7 Home Premium 64 bit and I shared the printer
-
Note to retrieve deleted from the sidebar
I used the sidebar notes to record the special circumstances of my billing. I inadvertently deleted one of my notes. How can I cancel this delete operation? Would this note have been saved by Carbonite?