ASA 5510 - level security Interface

I have an ASA 5510 (8.2.1 code). I'll implement the separat IPSec tunnels two remote networks, but each remote connection to an ASA respective interface.

Question: I know that the e0/0 ('outside') security level of the interface is 0. However, only the second interface e0/2 ("out2") security level must be set to 0 as well?

Thank you

Jim

Yes you can, simply apply the respective crypto map to the interface. You might want to do e0/2 and e0/3 the same level of security (if your security policy allows) and same-security-traffic permit inter-interface. Which allows communication between the various interfaces that have the same level of security. You can ignore the NAT mess.

Tags: Cisco Security

Similar Questions

ASA 5510 - possible to fill the 2 interfaces in routed mode

Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.

I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.

Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.

Any help would be appreciated!

Thank you

Andrew

Andrew

That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.

Linking to Eth2 and linking to Eth3 Are they really the same subnet?

HTH

Rick

Gigabit on ASA 5510

Hello

How would we go about setting up the speed of 1000 Mbps in an ASA 5510 with the license "security more?

That's what I want to say on any interface:

FW(Config-if) # speed?

options/commands in interface mode:

10 operation force 10 Mbps

Operation of the force 100 Mbps 100

automatic configuration of the speed to activate AUTO

Thank you.

Gabi

I thhink you should upgrede to 8.0 (3)

I have asa 5510 with security license.

Cisco Adaptive Security Appliance Version 7.2 software (3)

ASA5510(Config-if) #.

ASA5510 # conf t

ASA5510 (config) # int e0/0

ASA5510(Config-if) # spe

ASA5510(Config-if) # speed?

options/commands in interface mode:

10 operation force 10 Mbps

Operation of the force 100 Mbps 100

Operation of force 1000 Mbit/s 1000

automatic configuration of the speed to activate AUTO

How to test ASA 5510 hardware before you buy?

Im looking to buy a refurbished warranty on ASA 5510 with security license. What tests should all I leads with one independent and the device network to ensure that the material is good?

Hi, I usually ask a full boot and see the output of the version every time I buy referb or eBay. Sometimes you do not get these output unless the vendor is notified.

ASA 5510 Configuration. How to set up 2 outside the interface.

Hello

I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.

The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.

I based my setup on the existing configuration. which so far is working

interface Ethernet0/0
Outside of the interface description
nameif outside
security-level 0
IP 122.55.71.138 address 255.255.255.2
!
interface Ethernet0/1
Inside the interface description
nameif inside
security-level 100
IP 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
Outside of the interface description
nameif outside
security-level 0
IP 121.97.64.178 255.255.255.240
!

Global 1 interface (outside)

global (outside) 2 interface (I created this for E0/2)
NAT (inside) 0 access-list sheep

NAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)

NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).

Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)

Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)

Router ISP, that a job can ping and I can access the internet

interface FastEthernet0/0
Description Connection to ASA5510
IP 122.55.71.139 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
the interface S0/0
IP 111.54.29.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 122.55.71.139 111.54.29.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0

FAI 2

interface FastEthernet0/0 (SAA can ping this interface)
Description Connection to ASA5510
IP 121.97.64.179 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
interface E0/0 (ASA Can not ping this interface)
IP 121.97.69.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 121.97.64.179 121.97.69.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 E0/0

CABLES

ASA to router ISP B (straight cable)

Router ISP in the UDI (straight cable)

Hope you could give some advice and the solution for this kind of problem please

Hello

Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.

Thank you and best regards,

Maryse Amrodia

How many interfaces in asa 5510

can someone pls tell me how many interfaces in asa 5510.and we can add more interfaces to it.

concerning

Assane

Hi assane,.

When you order the ASA5510, you can choose between (option Setup/Noo-Noo fixed to add more ports interface):

1 ASA5510 device comes with 3 x FastEthernet, more 1xmanagement port (FastEthernet)

ASA5510-BUN-K9: Cisco ASA 5510 Firewall Edition includes 3 Fast Ethernet interfaces, 250 peers IPSec VPN, SSL VPN 2 peers 3DES/AES license, or

2 ASA5510 comes with 5xFastEthernet, most 1xmanagement port (FastEthernet).

Cisco ASA 5510 Security Plus Firewall Edition includes 5 interfaces Fast Ethernet, 250 VPN IPSec peers, 2 peers of SSL VPN, high availability active / standby, 3DES/AES license

http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html

Rgds,

AK

ASA 5510 w / license more lost security contexts

I have an ASA 5510 with license more than security and when I looked the devices a few days ago, I had 2 contexts, however after you have configured the port of Mgm as a regular port contexts show 0, why? I can't find anywhere on the internet where this problem occurred: this is the result of show worm:

Cisco Adaptive Security Appliance Software Version 7.0 (8)

Updated Sunday, 31 May 08 23:48 by manufacturers

System image file is "disk0: / asa708 - k8.bin.

The configuration file to the startup was "startup-config '.

SHIELDASA01 up to 21 hours 16 minutes

Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256 MB

BIOS Flash M50FW080 @ 0xffe00000, 1024 KB

Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)

Start firmware: CNlite-MC-Boot-Cisco - 1.2

SSL/IKE firmware: CNlite-MC-IPSEC-Admin - 3.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Ext: Ethernet0/0: the address is 0021.a025.2d3c, irq 9

1: Ext: Ethernet0/1: the address is 0021.a025.2d3d, irq 9

2: Ext: Ethernet0/2: the address is 0021.a025.2d3e, irq 9

3: Ext: Ethernet0/3: the address is 0021.a025.2d3f, irq 9

4: Ext: Management0/0: the address is 0021.a025.2d3b, irq 11

5: Int: not used: irq 11

6: Int: not used: irq 5

The devices allowed for this platform:

The maximum physical Interfaces: unlimited

VLAN maximum: 25

Internal hosts: unlimited

Failover: Active / standby

VPN - A: enabled

VPN-3DES-AES: enabled

Security contexts: 0

GTP/GPRS: disabled

VPN peers: 150

This platform includes an ASA 5510 Security Plus license.

I'm not showing the serial number and keys licese for obivious reasons. Any help? Thanks in advance.

You might want to try upgrading your IOS on the SAA, see if it can help, can you check the firewall mode (single or multiple) you're currently on? is your asa transparant or routed?

Interfaces of AIM - SSM and ASA 5510

All, someone can explain if and how routing works between the ASA and the map of the IPS?

(1) is the single NIC in the card IPS management purposes only?

(2) is the IP address configured in the process of installing the card for that one NIC?

(3) should it have no routing between for example the management of the ASA or any other interface and card management interface or can they reside on completely separate networks?

Thank you

Jonathan

Map of the IPS has 3 interfaces.

The management interface is an external interface that you plug a network cable in. The IP address is configured by the user during installation.

Sniffing is the internal interface of data backplane ASA. No IP address is never assigned to this interface.

Interface control plan is an internal control ASA management interface, so that the SAA can communicate internally to the SSM (the session command runs through this interface). The IP address of the control plan is controlled by the ASA and not user configurable,

The management interface's management only.

The IP address that is configured during installation is only for this management interface.

Regarding the routing between the ASA and the SSM, it's completely up to the user.

All communications from the ASA to the SSM are made internally through interface control plan and therefore the SAA itself has no need to know how to communicate on the SSM management IP.

The SSM, however, must communicate from IP management is one of the ASA interfaces to Shunning/blocking on the SAA. Shunning/blocking is not through the control plan.

When you use IDM or ASDM for configuration as java Web applet access to DFS management IP so the computer that runs the IDM or ASDM must be on the local network of the MSS management port, or routable network.

Some scenarios:

(1) only one machine (IDS MC/s LUN) communicating with the SSM. In this scenario, you could take a crossover cable and connect directly one machine to the MSS.

The SSM can communicate only on this computer into one.

(2) a secure network to manage security devices that is NOT routable from the other networks.

In this scenario the box management, DFS management port and the management of the ASA port would be all placed in a network.

The SSM would be able to communicat with the box management and the ASA management port.

The ASA management port is configured as a management only for the ASA port will not route input/output of the management network.

While management on this local network zone can communicate with the SSM, and no distance box cannot connect directly to the SSM.

(NOTE: blocking/Shunning will work here because the SSM can speak to the ASA)

(3) a secure network which IS routable from the other networks.

Similar to option 2 above, but in this case the ASA management port is configured to NOT be a 'single management' port and is instead treated as any other port on the firewall. In this configuration, the management port of the ASA CAN road entrance/exit to the management network.

NOTE: In most cases the ASA will need to configure a NAT for the SSM management IP address if users want to connect on the SSM management IP remotely from the Internet (such as running ASDM of the main network of the company on the internet to set up the SAA and the SSM on a remote site)

(4) SSM management IP on one of the normal networks behind the ASA. In this screenplay DFS management port would be connected to a switch or a hub where other internal machines are connected (like jumping in the DMZ switch / vlan). The ASA point of view of the management port SSM would be treated as any other web and ssh server behind the firewall.

Allow specific access through the Interfaces ASA 5510

Hi all

In my quest to learn Cisco IOS and devices, I need help in smoothing traffic, or access lists, allowing traffic between internal interfaces on the SAA specifically.

I have an ASA 5510:

WAN/LAN/DMZ ports labled E0/0 (LAN), E0/1 (WAN), E0/2 (DMZ).

Connected to the port E0/0 is a 2811 router

Connected to the port E0/1 is the (external) Internet

Connected to the port E0/2 is a 2821

(I'll add a 3745 for VOIP) port E0/3, but it has not yet happened.

I want to allow traffic between the 2821 and the 2811 routers so that devices on the networks behind them can talk to each other.

I've specified specific subnets between the ASA and the routers because I want to learn how to shape traffic behind routers, as well as on the ASA. So behind the routers I have different VLANS, but I'm not restrict access between them, still, at least I don't think I am. But as it is, behind the 2821 devices cannot access the DNS / DOMAIN SERVER that is located behind the 2811. Right now I have the routers DHCP power, who works there. Currently devices behind the router 2821-3560 switch cannot access the domain server, primary dns server.

How can I set the ASA to allow traffic to flow between the two routers and their VLANS?

Here's the configs of each device and I have also included my switch configs, incase something should be set on them. I only removed the passwords and the parts of the external IP address. I appreciate the help in which States to create and on which devices.

I think it is best that I put the links to the files of text here.

Thank you!

You must remove the following statements on the two routers:
-# ip nat inside source... overload
-for each # ip nat inside/outside interface, if they have configured.

Remove ads rip of the networks that are not directly connected:
-2821: 172.16.0.0, 192.168.1.0, 199.195.xxx.0
-2811: 199.195.xxx.0
-ASA: 128.0.0.0

No way should be added to the routers, since he is the one by default, put in scene to ASA.

Check the tables of routing on routers and the ASA.

On ASA:

-Remove:
object-group network # PAT - SOURCE
# nat (indoor, outdoor) automatic interface after PAT-SOURCE dynamic source

-create objects of the networks behind the LAN router and enable dynamic NAT:
network object #.
subnet
NAT (inside, outside) dynamic interface

-review remains NAT rules.

-to set/adjust the lists access penetration on the interfaces. Do not forget to allow the rip on the LAN and DMZ interfaces.

-Disable rip on the outside interface.

How default context in plsu security edition asa 5510

Hi could someon pls tell me with the edition of security plsu asa 5510 it will support active/active failover. and she supports context with securiyt plsu edition. and how default context do we receive with edition of plsu security asa 5510.

concerning

Assane

Hello

By default, ASA5510 with Security Plus comes with default 2 security [email protected] / * / firewall. Context of maximum security, you can have (upgrade to) is 5.

With license upgrade of security Plus, you might have active/active and active / standby (choose one to run at any time) high availability services.

http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html

Rgds,

AK

in my cisco asa 5510 heartbeat interface

Cisco asa 5510 heartbeat interface

Of course, we will need to more information than what you have given to us. Next time, don't even bother if you want to help us...

Cisco ASA 5510 L2L VPN on the backup interface

OK, here is what I have and I even if I knew how to do this, but it has not worked for me. I hope someone out there can help you.

I have an ASA 5510 running 8.4 with double configuration of ISPs on 2 different interfaces: outside (primary), backup (backup). I also have a site to site VPN ASA another in another city. The VPN is now configured on the external interface and works very well. What I wanted to do, is to make the VPN running on backup interface only.

So, I changed the card encryption on the remote side to use the backup interface IP and created a tunnel-group for her. Then, I created a map encryption for backup interface and activated ikev1 on it. The default route is configured to use the external interface, so I created a static route that routes traffic destined for the external interface of the remote side to the backup interface default gateway. I can get to establish tunnels, but no traffic passes through them. I have however while I need a NAT device for the tunnel traffic to I created a NAT so but still no transmitted traffic. I tried the packet - trace and he said: the traffic was allowed and show its crypto ipsec command, I see the configuration of the tunnel, but no traffic will pass through it. Can anyone help?

Ben,

you use a code to version 8.4, I recommend starting by removing the config NAT statements at both ends. This version does not have the NAT and control, and if you don't need... I've seen instances with 8.4 (3) where a NAT even though apparently correct was causing not to pass through the traffic.

Site A:

NAT (inside, backup) source static obj-SiteALAN obj-SiteALAN static obj-SiteBLAN obj-SiteBLAN

Site b:

NAT (inside, outside) source static obj - 192.168.5.0 obj - 192.168.5.0 destination static obj - 192.168.3.0 obj - 192.168.3.0

If possible, you should increase your AES encryption, but this is a personal point of view and should not stop the traffic through the links. You should be able to see the counters for the data transmitted / received are these incrementing?

Do you have the ACLs that are from the inside to the outside and internal interface to the Interface of backup (duplicated.

In this model, the control is the routing.

Best regards

Ju

http://helpamunky.WordPress.com/

Review of the ASA 5510 Config

Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!

------------------------------------------------------------

ASA 4,0000 Version 5

!

ciscoasa hostname

enable the encrypted password xxxxxxxxxx

XXXXXXXXXX encrypted passwd

names of

!

interface Ethernet0/0

nameif outside

security-level 0

IP 40.100.2.2 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.30.0.100 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

boot system Disk0: / asa844-5 - k8.bin

passive FTP mode

permit same-security-traffic inter-interface

network of the 10.10.0.78 object

Home 10.10.0.78

Nospam description

network of the 10.10.0.39 object

Home 10.10.0.39

Description exch

network of the 55.100.20.109 object

Home 55.100.20.109

Description mail.oursite.com

network of the 10.10.0.156 object

Home 10.10.0.156

Description

www.oursite.com-Internal

network of the 55.100.20.101 object

Home 55.100.20.101

Description

www.oursite.com-External

network of the 10.10.0.155 object

Home 10.10.0.155

Ftp description

network of the 10.10.0.190 object

Home 10.10.0.190

farm www Description

network of the 10.10.0.191 object

Home 10.10.0.191

farm svc Description

network of the 10.10.0.28 object

Home 10.10.0.28

Vpn description

network of the 10.10.0.57 object

Home 10.10.0.57

Description cust.oursite.com

network of the 10.10.0.66 object

Home 10.10.0.66

Description spoint.oursite.com

network of the 55.100.20.102 object

Home 55.100.20.102

Description cust.oursite.com

network of the 55.100.20.103 object

Home 55.100.20.103

Ftp description

network of the 55.100.20.104 object

Home 55.100.20.104

Vpn description

network of the 55.100.20.105 object

Home 55.100.20.105

app www description

network of the 55.100.20.106 object

Home 55.100.20.106

app svc description

network of the 55.100.20.107 object

Home 55.100.20.107

Description spoint.oursite.com

network of the 55.100.20.108 object

Home 55.100.20.108

Description exchange.oursite.com

ICMP-type of object-group DM_INLINE_ICMP_1

response to echo ICMP-object

ICMP-object has exceeded the time

ICMP-unreachable object

Exchange_Inbound tcp service object-group

EQ port 587 object

port-object eq 993

port-object eq www

EQ object of the https port

port-object eq imap4

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

object-group service DM_INLINE_SERVICE_1

will the service object

the purpose of the tcp destination eq pptp service

the DM_INLINE_NETWORK_1 object-group network

network-object, object 10.10.0.190

network-object, object 10.10.0.191

the DM_INLINE_NETWORK_2 object-group network

network-object, object 10.10.0.156

network-object, object 10.10.0.57

DM_INLINE_TCP_2 tcp service object-group

port-object eq www

EQ object of the https port

object-group service sharepoint tcp

port-object eq 9255

port-object eq www

EQ object of the https port

outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group

outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp

outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2

outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-649 - 103.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78

NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39

NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109

NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156

NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57

NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155

NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28

NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190

NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191

NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

http 10.10.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Telnet timeout 5

SSH 10.10.0.0 255.255.255.0 inside

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

source of NTP server outside xxxxxxxxxx

WebVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:40cee3a773d380834b10195ffc63a02f

: end

Hello

You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.

The ACL configuration is fine, Nat is fine, so you should have problems,

Kind regards

Julio

Issue of ASA 5510

Dear all,

I applied ASA 5510 in my network,

I configured 3 DMZ, inside and outside interfaces

ASA, I can access the Interior, DMZ and outside (Internet)

Inside users can communicate with the servers in the DMZ

Inside users goto Internet via the external interface

DMZ servers can goto Internet via the external interface

The DMZ servers cannot Ping inside the network

I've been using IpSec VPN on my router,

clients connect to the router using the Cisco VPN Client software,

NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ

security level 0 for outside

DMZ 50

100 for the inside

NAT is disabled with no command nat control

What I need to ON the NAT and some ACL must be put in place...

Please advise me what ACL I should implement, interface? Direction?

Which statement NAT should I include?

I want to access my network via VPN...

Help, please

Kind regards

Junaid

ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

Please rate if useful.

Concerning

Farrukh

S2S VPN Asa 5510 to 5505 no traffic passing (hair Pulling)

I have one site to another configured between a 5505 and ASA 5510, the tunnel is in place but can not pass any traffic one way or another. A 5510, 8.4.3 while the 5505 was 8.2. I find the version 8.2 the less confusing when configure the VPN. The new NAT throws me for a loop on the 5510. I have 1 tunnel upward and will already and it works fine. But when I do a new online, it won't pass any traffic.

The traffic I'm EFS is 5510 (192.168.180.0/24, 172.25.11.0/24)<-------> 5505 (192.168.197.0/24) many thanks in advance!

Here's the configs for the two.

main site of 5510

ASA Version 8.4(3) ! hostname ASA5510 domain-name fphc.us enable password dmbm8Lq9pBST.0kk encrypted passwd dmbm8Lq9pBST.0kk encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address x.x.x.130 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.180.253 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.180.231 name-server 192.168.180.232 name-server 192.168.180.233 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet x.x.x.128 255.255.255.240 object network Mobile_Unit subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host x.x.x.129 object network AHCCN subnet 172.35.0.0 255.255.254.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object network obj-192.168.51.5 host 192.168.51.5 object service 6004 service udp destination eq 6004 object network AT_Remote subnet 192.168.197.0 255.255.255.0 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object source-quench object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp-udp destination eq domain service-object object 6004 object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object object 6004 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_12 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service Exchange-6001 udp port-object range 6001 6004 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_10 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_9 service-object ip service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_18 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_19 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_20 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_17 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object AT_Remote object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit ip object Mobile_Unit object-group DM_INLINE_NETWORK_12 log debugging access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended deny ip 127.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 10.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 169.254.0.0 255.255.0.0 any log access-list Outside_access_in extended deny ip 224.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 239.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 173.0.0.0 255.0.0.0 any log debugging access-list Outside_access_in extended deny ip 224.0.0.0 255.255.255.31 any access-list Outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.35.1.199 any eq snmp log disable access-list global_access extended permit ip object obj-172.27.0.0 any access-list splitTunnelAcl standard permit 192.168.180.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.35.0.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.11.0 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.254.0 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object PMG object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip object obj_any any access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Exchange any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object SpamBox_1 any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object SpamBox_2 any log access-list Inside_access_in extended deny ip any any access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_17 object AT_Remote access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_18 object PMG log access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_3 object Mobile_Unit pager lines 24 logging enable logging timestamp logging emblem logging rate-limit unlimited level 1 logging rate-limit unlimited level 6 logging rate-limit unlimited level 7 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 ip verify reverse-path interface Outside ip verify reverse-path interface Inside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Mobile_Unit Mobile_Unit no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static AT_Remote AT_Remote no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static x.x.x.132 object network SpamBox_2 nat (Inside,Outside) static x.x.x.133 object network Exchange nat (Inside,Outside) static x.x.x.131 dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global route Outside 0.0.0.0 0.0.0.0 x.x.x..129 1 route Inside 10.90.254.0 255.255.255.0 192.168.180.1 1 route Inside 172.16.200.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.10.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.11.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.12.0 255.255.255.0 192.168.180.200 1 route Inside 172.27.0.0 255.255.255.0 192.168.180.200 1 route Inside 172.29.0.0 255.255.0.0 192.168.180.200 1 route Inside 172.35.0.0 255.255.254.0 192.168.180.200 1 route Inside 192.168.182.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.183.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.184.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.185.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.186.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.187.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.189.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.190.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.191.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.192.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.194.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.195.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.196.0 255.255.255.0 192.168.180.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DC's protocol radius max-failed-attempts 5 aaa-server DC's (Inside) host 192.168.180.231 timeout 5 key ***** user-identity default-domain LOCAL http server enable http 192.168.180.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Inside http 172.27.0.0 255.255.255.0 Outside http 172.27.0.0 255.255.255.0 Inside snmp-server group Authentication&Encryption v3 priv snmp-server user trap Authentication&Encryption v3 encrypted auth md5 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78 priv 3des 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78:08:c6:ef:b2:7e:89:45:f2:6f:78:b5:01:33:47:68:c9 snmp-server host Inside 172.35.1.199 community ***** version 2c snmp-server host Inside 192.168.180.7 community ***** version 2c snmp-server location MLK snmp-server contact xxxxxxxx snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start no sysopt connection reclassify-vpn sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 43200 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 173.10.204.46 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 1 set ikev2 pre-shared-key ***** crypto map Outside_map 1 set security-association lifetime seconds 460800 crypto map Outside_map 4 match address Outside_cryptomap_1 crypto map Outside_map 4 set peer 207.190.237.254 crypto map Outside_map 4 set ikev1 phase1-mode aggressive group5 crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 4 set security-association lifetime seconds 460800 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map 1 match address Outside_cryptomap_2 crypto map outside_map 1 set peer x.x.x.201 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 match address Outside_cryptomap crypto map outside_map 2 set peer x.x.x.254 crypto map outside_map 2 set ikev1 phase1-mode aggressive group5 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 3 match address Outside_cryptomap_4 crypto map outside_map 3 set peer x.x.216.130 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FPHC-ASA serial-number keypair LOCAL-CA-SERVER crl configure crypto ca server shutdown crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01     308201ff 30820168 a0030201 02020101 300d0609 2a864886 f70d0101 05050030     13311130 0f060355 04031308 46504843 2d415341 301e170d 31323039 32303232     34393034 5a170d31 35303932 30323234 3930345a 30133111 300f0603 55040313     08465048 432d4153 4130819f 300d0609 2a864886 f70d0101 01050003 818d0030     81890281 8100e841 eeca425c 20c47a19 3b335924 30281111 cff571d7 0bb63dd8     5f3194f5 59d99cb1 60269694 aa13c591 505e0575 2de5ebb1 92d7c931 807f807b     6e84ee54 1da4ccaf 1f109f53 94c6e567 a8064e27 e27f3ea0 94f7bf32 2fe6064c     c2bbcd0d 7b0f8806 8614fcf9 80c6e4e1 83da75c5 080c7117 09e1d574 f17de8ac     1da4f2f9 f6e10203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff     300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 144cb3da     6b6a5a14 c4b78674 49609b6b 8e58ea5f a3301d06 03551d0e 04160414 4cb3da6b     6a5a14c4 b7867449 609b6b8e 58ea5fa3 300d0609 2a864886 f70d0101 05050003     818100e0 7c9e15c3 13068614 788ff4d3 f282a4f4 fde72b00 3b05748f 0a4f68ec     6a7eb5fb 40c6d505 b1c35372 87102173 bb017e4b 2697c8f5 b66395f2 1418c77c     3e959343 84674b96 33558a08 629336c8 39c742bf 6b727b00 388a7102 8619cb5a     e4227aaf b58e267c 9e8b23d6 94cdc789 eb29cd96 1e579770 a2aa58ab 40694bb9 12888d   quit crypto ca certificate chain ASDM_TrustPoint0 certificate bd555b50     308201f7 30820160 a0030201 020204bd 555b5030 0d06092a 864886f7 0d010105     05003040 3111300f 06035504 03130846 5048432d 41534131 2b301206 03550405     130b4a4d 58313632 33583130 51301506 092a8648 86f70d01 09021608 46504843     2d415341 301e170d 31323039 32303232 35383434 5a170d32 32303931 38323235     3834345a 30403111 300f0603 55040313 08465048 432d4153 41312b30 12060355     0405130b 4a4d5831 36323358 31305130 1506092a 864886f7 0d010902 16084650     48432d41 53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902     818100e8 41eeca42 5c20c47a 193b3359 24302811 11cff571 d70bb63d d85f3194     f559d99c b1602696 94aa13c5 91505e05 752de5eb b192d7c9 31807f80 7b6e84ee     541da4cc af1f109f 5394c6e5 67a8064e 27e27f3e a094f7bf 322fe606 4cc2bbcd     0d7b0f88 068614fc f980c6e4 e183da75 c5080c71 1709e1d5 74f17de8 ac1da4f2     f9f6e102 03010001 300d0609 2a864886 f70d0101 05050003 8181008b c7a3e119     f1c6f60c 56ab7fd4 5096cfdf abb44331 fe3a0249 7f5fe79b 38a044c2 9a8b907d     12feba5d 6298a414 c4973369 040585b8 26b8b29e dfe7e226 0b10d08e 03658648     2fb0233e 27204339 c5a1c270 a0fec5b4 834340ac 9afefe75 4f802cb6 fb21b89c     9016e32c 2e772c00 191d23e0 036c4321 93a43b48 a6b682af 5dd5c0   quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 enable management crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.180.0 255.255.255.0 Inside telnet 172.27.0.0 255.255.255.0 Inside telnet timeout 10 ssh 192.168.180.0 255.255.255.0 Inside ssh 172.27.0.0 255.255.255.0 Inside ssh timeout 20 console timeout 0 management-access Inside vpn load-balancing interface lbpublic Outside interface lbprivate Inside threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 50.77.217.185 source Outside prefer ntp server 216.171.120.36 source Outside webvpn group-policy "S2S-RA-Group Policy" internal group-policy "S2S-RA-Group Policy" attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client group-policy DfltGrpPolicy attributes vpn-filter value Inside_nat0_outbound vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_x.x.x.46 internal group-policy GroupPolicy_x.x.x.46 attributes vpn-filter value Outside_1_cryptomap vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_x.x.x.254 internal group-policy GroupPolicy_x.x.x.254 attributes vpn-filter value Outside_cryptomap_1 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec group-policy GroupPolicy_x.x.x.201 internal group-policy GroupPolicy_x.x.x.201 attributes vpn-filter value Outside_cryptomap_2 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_x.x.216.130 internal group-policy GroupPolicy_x.x.216.130 attributes vpn-tunnel-protocol ikev1 group-policy VPN-GROUP2 internal group-policy VPN-GROUP2 attributes dns-server value 192.168.180.231 192.168.180.232 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us group-policy VPN-GROUP internal group-policy VPN-GROUP attributes dns-server value 192.168.180.231 192.168.180.232 vpn-filter value splitTunnelAcl vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us username mark password YTp0IwzeNwb5kS8J encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes default-group-policy VPN-GROUP tunnel-group x.x.x.46 type ipsec-l2l tunnel-group x.x.x.46 general-attributes default-group-policy GroupPolicy_x.x.x.46 tunnel-group x.x.x.46 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group x.x.x.201 type ipsec-l2l tunnel-group x.x.x.201 general-attributes default-group-policy GroupPolicy_x.x.x.201 tunnel-group x.x.x.201 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group VPN-GROUP type remote-access tunnel-group VPN-GROUP general-attributes address-pool Client_Pool authentication-server-group DC's default-group-policy VPN-GROUP tunnel-group VPN-GROUP ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.254 type ipsec-l2l tunnel-group x.x.x.254 general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group x.x.x.254 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group VPN-GROUP2 type remote-access tunnel-group VPN-GROUP2 general-attributes address-pool RA_POOL authentication-server-group DC's default-group-policy VPN-GROUP2 tunnel-group VPN-GROUP2 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_x.x.x.130 tunnel-group x.x.x.130 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group PMG type ipsec-l2l tunnel-group PMG general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group PMG ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map http_https description http_https match access-list Outside_access_in ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options class global-class   user-statistics accounting policy-map http_https class http_https   set connection timeout idle 1:15:00 reset   user-statistics accounting ! service-policy global_policy global service-policy http_https interface Outside smtp-server 192.168.180.235 prompt hostname context no call-home reporting anonymous Cryptochecksum:fcb4c2d9a982c11054c31ee4db778012 : end

5505 remote site

ASA Version 8.2(5) ! hostname AT-Remote domain-name fphc.us enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 172.35.0.0 AHCCN name 172.25.11.0 AHCCN-1 name 192.168.180.0 FPHC ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,30 switchport trunk native vlan 1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.197.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.201 255.255.255.252 ! ! boot system disk0:/asa825-k8.bin ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 68.87.68.162 name-server 68.87.74.162 domain-name fphc.us dns server-group DNS_Internal name-server 192.168.180.231 name-server 192.168.180.232 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network obj_any object-group network 172.25.11.0 object-group network 172.35.0.0 object-group network 192.168.180.0 object-group network ASA-FW object-group network Comcast_Outside object-group network AT_Local object-group network NETWORK_OBJ_192.168.197.0_24 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp object-group network obj_remote object-group network Franklin_Remote network-object AHCCN-1 255.255.255.0 network-object AHCCN 255.255.254.0 network-object FPHC 255.255.254.0 access-list outside_access_in extended permit ip object-group Franklin_Remote 192.168.197.0 255.255.255.0 access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log debugging access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any echo log access-list outside_1_cryptomap extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat0_outbound extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat_outbound extended permit ip any interface outside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 access-list inside_nat_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.202 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.197.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside sysopt noproxyarp dmz crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 43200 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.7.130 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491     308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130     0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117     30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b     13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504     0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72     20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56     65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043     65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31     30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b     30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20     496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65     74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420     68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329     3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365     63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7     0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597     a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10     9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc     7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b     15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845     63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8     18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced     4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f     81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201     db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868     7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101     ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8     45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777     2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a     1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406     03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973     69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403     02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969     6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b     c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973     69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30     1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603     551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355     1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609     2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80     4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e     b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a     6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc     481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16     b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0     5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8     6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28     6c2527b9 deb78458 c61f381e a4c4cb66   quit crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet x.x.x.130 255.255.255.255 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.197.25-192.168.197.100 inside dhcpd dns 192.168.180.232 68.87.74.162 interface inside dhcpd domain fphc.us interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics host threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-filter value outside_1_cryptomap group-policy GroupPolicy_216.86.7.130 internal group-policy GroupPolicy_216.86.7.130 attributes vpn-filter value inside_nat0_outbound vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_216.86.7.130 tunnel-group x.x.x.130 ipsec-attributes pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect dns ! service-policy global_policy global prompt hostname context : end

Hello

The reason for the DECLINE suggests that the ASA has still attached to the L2L VPN VPN filter configuration that prevents traffic.

Check the configuration and remove atleast VPN filter temporarily for testing purposes.

-Jouni

ASA 5510 - level security Interface

Similar Questions

Maybe you are looking for