ASA 5510 Auth for site-to-site VPN users
Hello
is there a way we can get the ASA to prompt users VPN site-to-site to authenticate on ASA/RADIUS before access resources head behind ASA such as Sharepoint etc allowed in via respective VPN ACL?
I never did, but you should be able to use authentication 'Cut Through'.
Basically, the user has little or no access, and the ASA intercepts a request, such as via HTTP and then authenticates the session. After that the user can access all that you allow them.
Tags: Cisco Security
Similar Questions
-
For several years I have implemented no - DMVPN IPSEC VPN. At the time, it was 515 s Pix. If I remember correctly, I could set up is a site to site vpn (in which the phase I and phase II card was entered, PSK, etc.) a user remote vpn (where meanings would be implemented with XAUTH for the user credentials, and I think security settings of group for different users). It comes before DMVPN, who simplified a lot of it.
Anyway, now I have a colleague who bought a RVS4000 with a view to setting up a vpn site-to site with BeeVPN, a site that allows him to work around his ISP followed. When he asked BeeVPN sheet on how to set up his RVS4000 as one endpoint of IPSEC for site to site vpn, they responded with prison to enter his user name and password as the group name. What's a sense? Shouldn't an address of peers, encryption/auth/various-hellman, settings etc. and PSK everything that is required for a vpn site-to site?
Furthermore, I realize that he may have another problem with his dynamic ip address. But I was hoping I could get help on the basics first.
Thank you very much
You are right.
-
ASA 5510 Anyconnect licenses with Cisco Anyconnect VPN IP phone
Hi, hoping someone can shed some light on what I'm just more confused over trying to get by. Not sure if this goes in the section IP Telehpony or here...
We have an ASA 5510 with the base license. We need to install IP phones to home teleworkers, and I understand there are Cisco IP phones that have built-in VPN clients to enable a tunnel to the central private network. IT seems that you can't use Anyconnect VPN to do this, and I am trying to establish what upgrade licenses, we must apply to the ASA, as both Anyconnect licenses that you get for free on the SAA is not enough.
This is the phone that we seek;
I want to know is the Anyconnect Essentials license will work with these IP phones?
When I do a version of the show,
The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 50
Internal hosts: unlimited
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 0
GTP/GPRS: disabled
SSL VPN peers: 2
The VPN peers total: 250
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled
This platform includes a basic license.
It shows "AnyConnect for Linksys phone: Disabled", it is the same for the Cisco IP phones? It is the kind of specific license, should I seek for Anyconnect on IP phones or will Essentials?
Hi Leo,
you will need 2 licenses: an Anyconnect Premium license and a permit «Anyconnect of Cisco VPN phone»
ASA 8.2 and earlier license "for Cisco VPN Phone" has been named "for phone Linksys' it's the same.
CFR. http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp1487574
HTH
Herbert
-
ASA 5510 - tips for setting up - no internet
Hi all
I'll set up an ASA 5510 for the first time using the GUI.
I put 0/0 0/1 and outside as inside.
I set up outside with the static WAN address, and it is connected to my ISP.
But I can't do everything Internet works on the inner harbor. I've read elsewhere, I need to add a static route. Can someone please advise?
You must place a default route to carry traffic from inside to outside. Use the GUI to place a static route 0.0.0.0 0.0.0.0 for the ip address of your next hop ip of the connection to the ISP.
Sent by Cisco Support technique Android app
-
ASA 5500 - to access the headquarters SSL VPN users
I have a user who has access to our main office LAN using an SSL VPN. Of course, they can access all of our internal resources.
Is it possible that, in the main office, I can access their machine?
If so, should what configuration changes I give?
Willemin
Should be able to access their machine if they are connected.
Just make sure you know their ip address which is attributed to their SSL VPN, and also if they have a personal firewall installed on their computer, it allows access (or off).
-
How to enable routing on a subnet in ASA 5510
Dear Sir
We use cisco ASA 5510, and we provide access to external users through cisco anyconnect VPN. When users connect, they can access a single subnet. How can afford to drive to another subnet CLI or ASDM?
Thank you best regards &,.
Hello
Seems to me that you have not at least have a NAT0 configuration for traffic between the LAN subnet and VPN pool
This is your current NAT0 ACL configuration
access-list nonat extended permit ip 172.16.0.0 255.255.254.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0 access-list nonat extended permit ip 172.16.0.0 255.255.0.0 host 10.212.61.32 access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.192 255.255.255.192 access-list nonat extended permit ip 172.16.0.0 255.255.254.0 10.1.12.0 255.255.255.0 access-list nonat extended permit ip 10.1.12.0 255.255.255.0 10.1.12.0 255.255.255.0 access-list nonat extended permit ip 172.16.0.0 255.255.0.0 10.1.12.0 255.255.255.0
Pool of VPN you seems to be 172.16.240.0/24, so you must add the following line of ACL
access-list nonat extended permit ip 10.1.12.0 255.255.255.0 172.16.240.0 255.255.255.0
Hope this helps :)
-Jouni
-
Split tunnel with ASA 5510 and PIX506.
Hello
I have the production between Asa 5510 (main office) and Pix 506 VPN tunnel. It is configured so that all traffic is encrypted and moves through the tunnel. This includes remote users behind Pix Internet traffic. I would like to use split tunnel and direct Internet traffic hitting the web directly from Pix instead of going through the tunnel. How can I do this safely? Please see current config Pix below:
:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 10baset
ethernet0 nameif outside security0
nameif ethernet1 inside the security100clock timezone EDT - 5
clock to summer time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 02:00
No fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
No fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
no correction protocol tftp 69
names of
allow VPN 192.x.x.x 255.255.255.0 ip access list one
LocalNet ip access list allow a whole
pager lines 20
opening of session
monitor debug logging
logging warnings put in buffered memory
logging trap warnings
Outside 1500 MTU
Within 1500 MTU
IP address outside 24.x.x.x 255.255.255.0
IP address inside192.x.x.x 255.255.255.0
IP audit name Outside_Attack attack action alarm down reset
IP audit name Outside_Recon info action alarm down reset
interface IP outside the Outside_Recon check
interface IP outside the Outside_Attack check
alarm action IP verification of information
reset the IP audit attack alarm drop action
disable signing verification IP 2000
disable signing verification IP 2001
disable signing verification IP 2004
disable signing verification IP 2005
disable signing verification IP 2150
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list LocalNet
Route outside 0.0.0.0 0.0.0.0 24.x.x.x
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp-3des esp-md5-hmac AMC
map UrgentCare 10 ipsec-isakmp crypto
card crypto UrgentCare 10 corresponds to the VPN address
card crypto UrgentCare 10 set counterpart x.x.x.x
card crypto UrgentCare 10 value transform-set AMC
UrgentCare interface card crypto outside
ISAKMP allows outside
ISAKMP key * address x.x.x.x 255.255.255.255 netmask
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 md5 hash
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
SSH timeout 15
Console timeout 0
Terminal width 80
Cryptochecksum:9701c306b05151471c437f29695ffdbd
: endI would do something by changing the acl that applies to your crypto card. You want to know what you want to support above the tunnel and then deny other networks.
If you have:
192.168.3.0/24
192.168.4.0/24
10.10.10.0/24
172.16.0.0/16
Do something like:
VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.3.0 255.255.255.0
VPN access list allow 192.x.x.x ip 255.255.255.0 192.168.4.0 255.255.255.0
VPN access list allow 192.x.x.x ip 255.255.255.0 10.10.10.0 255.255.255.0
VPN access list allow 192.x.x.x 255.255.255.0 ip 172.16.0.0 255.255.0.0
Then when the traffic is destined for something other than these networks, it will go not to the ISP instead of the tunnel.
HTH,
John
-
ASA 5510 more and Port forwarding
Hallo,
I don't know if the thread title is correctly written, so I'll try to explain my problem.
I have an ASA 5510 more linking several external interface VPN tunnels to internal interface. they work very well. Now I want to access a server in the internal network of trust on the Internet via RDP.
I've set up a static NAT rule which translates by [my public ip phone]: 11111 on [the internal server ip]: 3389. Moreover, I met [my public ip phone] traffic: 11111 outside [the internal server ip]: 3389 inside via the access control list.
Yes, it does not. I made a few soft logic error?
Code:
static (exterior, Interior) [the internal server ip] tcp 3389 [my laptop public ip] 11111 netmask 255.255.255.255
Outside_access_in list extended access permit tcp host [my ip public notebook] [internal server ip] eq 3389
Best regards
EYAD Tayeb.
Hi... I might have a word here!
looking at your config you have
static (inside, outside) tcp 3389 11111 netmask 255.255.255.255
It should be
static (inside, outside) of the tcp 3389 3389 netmask 255.255.255.255 interface
Also... Make sure that the aplpied of the access list for the external interface in the outbound direction does not block traffic referred by your inside host with the public client that initiated the RDP session.
I hope this helps... Please, write it down if she does!
-
VPN site to Site ASA 5510 and 871 w / dynamic IP
What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?
My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.
Any suggestions or pointers would be * very * appreciated.
-Adam
This can help but it does not show ASDM.
-
ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established
Hi all experts
We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?
I got error syslog 713902 and 713903, how to fix?
I got the following, when I type "sh crypto isakmp his."
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2
Hugo
Hello
This State is reached when the policies of the phase 1 do not correspond to the two ends.
Please confirm that you have the same settings of phase 1 on both sides with the following commands:
See the isakmp crypto race
See the race ikev1 crypto
Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.
Finally, make sure you have a route suitable for the remote VPN endpoint device.
Hope that helps.
Kind regards
Dinesh Moudgil
-
OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA. I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510. I have the VPN configured on the SAA and he said that the tunnel is up. I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine. If I try to ping on a local computer, I get a "Request timed out". If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer. The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted. I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:
My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:
Router (Cisco 2811)
|
Layer switch 2 (ProCurve)
| |
ASA5510 LAN computers
I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.
In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.
From the console of the ASA, I get this:
ASA5510 # ping 192.52.128.1
Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 msASA5510 # show crypto ipsec his
Interface: *.
Tag crypto map: * _map, local addr: 10.52.120.23local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
current_peer: x.x.x.204program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204
Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
current outbound SPI: C49EF75FSAS of the esp on arrival:
SPI: 0x21FDBB9D (570276765)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3529)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC49EF75F (3298752351)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3527)
Size IV: 8 bytes
support for replay detection: YFrom my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:
C:\Users\***>ping 192.52.128.1
Ping 192.52.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.52.128.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)C:\Users\***>ping 10.52.120.23
Ping 10.52.120.23 with 32 bytes of data:
Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255Ping statistics for 10.52.120.23:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 5ms, average = 2msCount on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.
Here is the running of the ASA configuration:
ASA Version 7.0 (2)
names of
!
interface Ethernet0/0
nameif InsideNetwork
security-level 100
IP 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
activate the encrypted password of XXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXXXXX
ciscoasa hostname
domain default.domain.invalid
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
5.0 192.52.128.0 255.255.255.0
Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
.0 192.52.128.0 255.255.255.0
pager lines 24
asdm of logging of information
management of MTU 1500
MTU 1500 InsideNetwork
management of the interface of the monitor
the interface of the monitor InsideNetwork
ASDM image disk0: / asdm - 502.bin
don't allow no asdm history
ARP timeout 14400
NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 InsideNetwork
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
card crypto InsideNetwork_map 20 set peer x.x.x.204
InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
InsideNetwork_map InsideNetwork crypto map interface
ISAKMP enable InsideNetwork
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet 10.52.120.0 255.255.255.0 InsideNetwork
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
tunnel-group x.x.x.204 type ipsec-l2l
x.x.x.204 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
Cryptochecksum:7e478b60b3e406091de466675c52eaaa
: endI haven't added anything to the config except what seemed necessary to get the job of VPN tunnel. It should be fairly clean.
Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot
Strange, but good news. Thanks for the update. I'm glad everything is working.
THX
MS
-
Cisco ASA 5510 VPN Site to Site with Sonicwall
I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA
Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you
Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall
NAT (inside) 0 access-list sheep
..
IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0
access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0
..
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set counterpart x.x.x.x
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
..
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
..
internal SiteToSitePolicy group strategy
attributes of Group Policy SiteToSitePolicy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
Split-tunnel-network-list no
..
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x General attributes
Group Policy - by default-SiteToSitePolicy
tunnel-group ipsec-attributes x.x.x.x
pre-shared key *.
..
Added some excerpts from the configuration file
Hello Manjitriat,
Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.
Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.
Now the packet tracer must be something like this:
entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80
Please provide us with the result of the following instructions after you run the packet tracer.
See the crypto Isakamp SA
See the crypto Ipsec SA
Kind regards
Julio
-
Site to Site VPN - ASA 5510 / 851 router - no Sas?
We have installed an ASA 5510, version 1.0000 software running. In a remote area, we have a Cisco router to 851 with tunneling IPSec VPN for a PIX 515e. I try to open a backup between the 851 and ASA connection new, and I have a problem. I used ASDM on the side of the ASA and CCP on the side 851 and created a new VPN site to site on both, with PSK encryption algorithms, etc.. I checked the connectivity between the external interfaces of the two devices, and the associated ACLs are simple, because they allow all IP traffic on the internal side of the two devices to talk with each other.
When I do a "crypto isakmp to show his" on the SAA, I get "there is no its isakmp. When I do the same on the 851 router, I see only the existing connection to the PIX. It seems that the tunnel does not run again. I turned on debug various crypto and sent a series of pings, and I don't see any tunnel initiaion even be attempted.
CCP has a VPN to test the tool built in to the router. ASDM has a similar feature? Here's the relevant configs (at least I think... the SAA is enough Greek to me):
ASA 5510 (within the network of 10.20.0.0/16. The perfectly functional PIX is also on this network, with a different public IP address)
access-list ATTOutside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.192.0.0 255.255.0.0 !
nat (Inside,ATTOutside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.192.0.0_16 NETWORK_OBJ_10.192.0.0_16
!crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map ATTOutside_map 2 match address ATTOutside_2_cryptomap crypto map ATTOutside_map 2 set peer 24.140.152.144 crypto map ATTOutside_map 2 set transform-set ESP-3DES-MD5 crypto map ATTOutside_map interface ATTOutside
!crypto isakmp enable ATTOutside crypto isakmp enable Inside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 170 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400
!tunnel-group 24.140.152.144 type ipsec-l2l tunnel-group 24.140.152.144 ipsec-attributes
!
851 router (within the 10.192.4.0/24 network)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key si9bw1u8woaz address 65.42.15.142
crypto isakmp key 123 address 12.49.251.3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to12.49.251.3
set peer 12.49.251.3
set transform-set ESP_3DES_MD5
match address 102
!
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.13.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.14.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.18.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.19.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.22.0.0 0.0.255.255
access-list 102 permit ip 10.192.4.0 0.0.0.255 10.23.0.0 0.0.255.255
Michael,
Since you are using the same ACL, subnets, even and even while on your router to your VPN 1 tunnels config and 2, your second VPN tunnel will not succeed because the router already has a tunnel with the PIX for the same traffic.
If you want to configure the ASA as peer backup scratch the second card encryption and instead, add the public IP ASA as a second peer under the original crypto configuration.
Like this:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.42.15.142
set peer 65.42.15.142
game of transformation-ESP-3DES-SHA1set peer 12.49.251.3
match address 102
The router will attempt to connect to the PIX and if this fails (which means that the PIX has never responded) then it will try to connect to the ASA.
To test it, you could do either of two things: 1. taking the internet conection low PIX will make the router try to connect to the secondary host. 2: change (temporarily) on the router address peer of the PIX to a bogus IP that won't respond, when only one omits the router must try to negotiate with the ASA.
I hope this helps.
Raga
-
% 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510
Hi friends,
I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.
Error in CISCO VPN Client software:
Secure VPN connection terminated locally by the client.
Reason: 414: unable to establish a TCP connection.
Error in CISCO ASA 5510
7-ASA-710005%: TCP request and eliminated from
49276 outward: 10000 The ASA configuration:
XYZ # sh run
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: endXYZ #.
Good news
Follow these steps:
network object obj - 172.30.10.0_24
172.30.10.0 subnet 255.255.255.0
!
the LOCAL_NETWORKS_VPN object-group network
object-network 1.1.1.0 255.255.255.0
!
NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search
* Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.
Keep me posted.
Thank you.
Please note all messages that will be useful.
-
All necessary licenses on ASA 5510 for old Cisco VPN Client
We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?
Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).
You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.
Maybe you are looking for
-
HP Folio 13 t - 1000 replacement LCD
Hello Recently dropped my folio 13 HP. He managed to fold a little of the envelope, but the internal parts are not affected. I decided that I will try to fix it myself, since it is out of warranty. I have all the parts except for the back cover of t
-
I know that WiC is not a game of Microsoft, but I still want to ask the question. Whenever I am trying to install it, a problem appears and says: LastDllError 1047, Description cannot find window class. Can someone help me?
-
HP 20-f394 all-in - One PC stops and restarts itself
If you are looking for a 20 HP - f394 all-in-One PC crashes and restarts, you will see many users have reported this problem and gave the PC low rating because of this problem. Is - this hardware problem or a bug? The HP noticed this popular issue an
-
How can I change the "UninstallString" under \\HKLM?
OT: UninstallString custom?. Hello: I have a need to 'hide' the button 'Cancel' during the process of installation/uninstallation of MSI. Specifically during the MSI uninstall process. One way to achieve this is to use the command line "msiexec /x {p
-
install a hp psc 1310 all-in-one for windows7
I've recently upgraded to a Bell with Windows7 system. Unfortunately I can't get my disc to load for my all-in-one hp psc printer 1310 to load. I get the warning that I don't have "administrator rights" and the system will not load. I tried to dow