ASA 5520 to 5510 VPN is not the creation of the IPSEC Security Association
I have an L2L built between a 5520 and 5510 ipsec tunnel. I'm sure I configured everything that I need to but when I do a show ipsec cry his it is nothing. I do not know the inbetween firewall are open to allow connections as well. also whenever I set up a part of the cryptomap as a command: crypto outside_map 10 card game peers 6.7.0.13 he would come back with this error
[IKEv1]: ignoring msg SA brand with the specified coordinates
any ideas? Hello Could you please paste the output of the command "show following run crypto" since both the ASAs. Also, what do you see when you give "cry isa to show her. Also if your ACL crypto for the tunnel have something like this "access-list extended ACL permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp. Change the ACL for ip that is "access-list extended ACL permit ip 192.168.11.11 host 10.1.100.105" Let me know if that helps Thank you Delvallée Tags: Cisco Security change the lives of the IPSEC Security Association Hello If I use the order of the life of-association of IPSEC crypto security, that does not hold for all customers? I'm trying to change it only for an IPSEC security association and I don't want to interrupt any existing VPN client. is it possible to put it for a client? Thank you! Lisa G You can change it in a configuration card crypto for each individual connection. Since you don't specify what your vpn device ends on however, I can't give you a specific example. the command you gave is global, for which there is already a default lifetime. 'local' lifespans for individual crypto cards override this value. also, if two peers differ in their lives during the negotiation, they are "supposed to" choose the smallest value, but still not connect. Question about the life of the IPSec Security Association Hi all I'm confused about life. A book, they said that you should service life of the peer to keep two exact same, otherwise you can not establish the tunnel. But I saw another book says you can use different to life (time interval or byte count), two peers will choose the lower one. Please help me. Thanks in advance. Banlan There are two lives involved with IPSec, Phase 1 (ISAKMP) and Phase 2 (IPSec) connections. With the Phase 1 tunnel, if the initiator has a longer life than that the answering machine, the answering machine does not accept the connection, then it is certainly preferable to keep your the same Phase 1 lives. Phase 2, life will be negotiated at the lower of the two values regardless of intiates, if it is not serious. Always advised to keep living the same since you can run questions of negotiation with devices from different vendors. RemoteAccess VPN does not, the client VPNC connects but no connectivity Hi all I configured cisco ASA 5520 VPN remote access, Cisco vpn client connects very well and both phases are upcoming but aren't encapsulating packets phase ipsec. and ima could not reach remote subnets 192.168.10.0 and 192.168.180.0 kindly help me to solve the problem... Here's the relevant config Thank you config==================================================================== access-list 1 permit line splitTunnel_raacl extended ip 192.168.10.0 255.255.255.0 any allowed to Access-list ra_acl line 1 extended ip all 192.168.10.0 255.255.255.0 AAA-server non-retail-VPN protocol Ganymede +. mask IP local pool ra 172.23.20.2 - 172.23.20.125 255.255.255.128 internal RAVPN group policy type tunnel-group RAVPN remote access Crypto ipsec transform-set esp-3des esp-sha-hmac ravpn-series Crypto dynamic-map 23 RAVPN set transform-set ravpn-set card crypto ENOCMAP 4-isakmp dynamic ipsec RAVPN Output # sh crypto ipsec peer of his 94.58.71.99 local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0) #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0 EDIT: Sorry, just see that I read your config wrong. The vpn-filter is OK, but with split tunnel always not necessary. Your vpn-filter-ACL is false (mixex source and destination). Please, remove the vpn filter from your group policy and test again if this works. Looks like you want your customers only to reach the two given networks. For this you need the vpn filter anyway, because they are the only networks that are reached in the split-tunnel-config. Sent by Cisco Support technique iPad App ASA 5520's active / standby, do not sync AnyConnect Profles I'm working on two ASA 5520 configuration in a configuration active / standby. I have almost all the same between the two units for AnyConnect work waiting for both of the following: AnyConnect Client profiles AnyConnect Client software If I download the software manually to the standby unit I get warning against them are not synchronized, and on the active unit if I do a 'writing' standby does not copy the profile or the software. Anyone has any ideas on this? Thank you Dan Hello When you configure the ASA in a failover pair, you must manually copy the AnyConnect and CSD images for the primary and the secondary ASA. You must also do the same for the Anyconnect profile file if you use it. Either force the ASA shall become active and copy the files to the new ASA assets using ASDM or copy files directly from the console ASA ensures using tftp or ftp. Kind regards Note the useful messages Julio Printer HP Officejet J4680 series agreeing is not the network security key Although I am sure that the password is correct and he entered manually on the Panel of the printer without problem, I can't get the installer to accept the security network key. I installed a critical update (slp_dd_hathi_11) nothing works. My two HP laptop (a running VIsta and other Windows XP) to connect to the printer without problem. I have a laptop Dell Latitude running on Windows XP. I don't know what else to do... You have a firewall running? Turn them off and try again. Check the Windows Firewall and the firewall of your security software. Life of the ISAKMP Security Association Hello Like to know the process of ITS expiration date and renew, it will cause the VPN Goes? and how long preshared key can support? Thank you in advance! Before the expiry of SA, a new SA will be negotiated and implemented, therefore, as soon as the old SA has expired, there are already HIS new, which will be done automatically. So to answer your question, to generate a new key SA, the VPN tunnel won't go down. The life expectancy of SA for the phase 2 can be configured for a maximum of 214783647 seconds (default is 28800 seconds). Hope that answers your question. On ASA 5510 VPN works do not but the work stations We have an ASA 8.2 (3) running and have two VPN site to site running on it. The second VPN we just establish the other day, and of the SAA itself, it seems to work. We are able to ping remote hosts from the ASA without problem. However, on this second VPN all hosts on our local network cannot reach the remote party... Trying to understand what could happen. Applicable config below (please forgive the mistakes and formatting): interface Ethernet0/0 nameif outside security-level 0 address IP WAN. IP. ADDR 255.255.255.224 ! interface Ethernet0/1 nameif inside security-level 100 IP 192.168.21.1 255.255.255.0 ! interface Ethernet0/2 Shutdown nameif intf2 security-level 0 no ip address ! interface Ethernet0/3 Shutdown No nameif no level of security no ip address ! interface Management0/0 Shutdown nameif management security-level 100 no ip address management only ! access extensive list ip 192.168.21.0 outside_cryptomap allow 255.255.255.0 10.50.50.0 255.255.255.0 Access-group acl_out in interface outside Crypto ipsec transform-set esp-3des esp-sha-hmac ATLAS-TS life crypto ipsec security association seconds 28800 card crypto mymap 2 match address outside_cryptomap card crypto mymap 2 together peer PEER. WAN. IP. DEA card crypto mymap 2 game of transformation-ATLAS-TS map mymap 65535-isakmp ipsec crypto dynamic dynmap mymap outside crypto map interface crypto isakmp identity address crypto ISAKMP allow outside crypto ISAKMP policy 5 preshared authentication 3des encryption sha hash Group 2 ISAKMP crypto 10 nat-traversal tunnel-group of PEERS. WAN. IP. ADDR type ipsec-l2l tunnel-group of PEERS. WAN. IP. ADDR ipsec-attributes pre-shared key *. Hello Seems to me that his dynamic State PAT shot meant for Internet traffic Phase: 6 Type: NAT Subtype: Result: ALLOW Config: NAT (inside) 1 0.0.0.0 0.0.0.0 is the intellectual property inside everything outside of any dynamic translation of hen 1 (WAN. IP. ADDR.162 [Interface PAT]) translate_hits = 6186208, untranslate_hits = 145616 Additional information: Translation dynamic 192.168.21.100/0 to WAN. IP. ADDR.162/12936 using subnet mask 255.255.255.255 So you might miss the NAT0 configuration for this connection Do the following Issue the command "Display running nat" and you should see a NAT0 configuration for the 'inside' interface. Something like that NAT (inside) - 0 access list Next, you will need to check the ACL configuration See the list of access running You can add local and remote network that need to communicate through that VPN L2L connection to this ACL So for examples sake lets assume that your ASAs directly related "inside" subnet needs to access the remote network, and then you would add ip 192.168.21.0 access list allow 255.255.255.0 10.50.50.0 255.255.255.0 So use the above configuration format with good source and network of destination, as well as the correct name of the ACL and add the required ACL lines and then try to host LAN connections. Hope this helps Remember to mark a reply as the answer if it answered your question. Feel free to ask more if necessary -Jouni % 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510 Hi friends, I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove. Error in CISCO VPN Client software: Secure VPN connection terminated locally by the client. Reason: 414: unable to establish a TCP connection. Error in CISCO ASA 5510 7-ASA-710005%: TCP request and eliminated from
The ASA configuration: XYZ # sh run
XYZ #. Good news Follow these steps: network object obj - 172.30.10.0_24 172.30.10.0 subnet 255.255.255.0 ! the LOCAL_NETWORKS_VPN object-group network object-network 1.1.1.0 255.255.255.0 ! NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search * Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel. Keep me posted. Thank you. Please note all messages that will be useful. Tunnel VPN ASA 5520 (DMZ + INSIDE) destined for OUTSIDE I can't find any reference to anywhere else. We have an ASA 5520 to our site HQ (inside the network) with several regional subnets on the DMZ interface. We need connectivity VPN Site to Site between the INSIDE and a remote control on the OUTSIDE of the site, as well as between the DMZ subnets and even outside the site. The interface from the OUTSIDE of the SAA must be local VPN endpoint for all tunnels. I created a S2S VPN between the INSIDE and the OUTSIDE site and it works great. When I create a VPN S2S tunnel between a site of DMZ and even outside the site (using the same settings the and remote, but with a cryptomap different because the local subnet (DMZ) is different from the other inside the subnet, the traffic gets the mapping (show crypto isakmp his) to the same cryptomap that was created for the access to the tunnel from the OUTSIDE) , instead of to the new cryptomap, so remote endpoint deletes it, and traffic also causes SPI incorrect of for the remote endpoint, which makes the original INTERIOR outside OF THE VPN tunnel to fall from time to time. Is this a bug? I also did a local S2S VPN tunnel configuration test of networks as everything INSIDE and the DMZ. With the help of the wizard VPN S2S leads ASA only to create a NAT rule exempted for the subnet on the INSIDE interface. Can I manually create another tax-exempt NAT rule to the side of the DMZ and use this a S2S tunnel to connect sites inside and DMZ to the remote OFF-SITE in a connection profile? I'm building a Rube Goldberg? Thank you George Hi George,. It seems you have a situation overlapping it, are you sure that subnets inside did not overlap with the networks from the DMZ? A package tracer could clarify wha that the ASA is actually sending. In addition, you can merge the two interfaces on the same card encryption if you wish, just make sure that the NAT is configured correctly. For example; Source NAT (all, outside) static... It may be useful -Randy- VPN site to site & outdoor on ASA 5520 VPN client Hi, I'm jonathan rivero. I have an ASA 5520 Version 8.0 (2), I configured the site-to-site VPN and works very well, in the other device, I configured the VPN Client for remote users and works very well, but I try to cofigure 2 VPNs on ASA 5520 on the same outside interface and I have the line "outside_map interface card crypto outdoors (for VPN client). , but when I set up the "crypto map VPNL2L outside interface, it replaces the command', and so I can have only a single connection. the executed show. ASA1 (config) # sh run : Saved : ASA Version 8.0 (2) ! hostname ASA1 activate 7esAUjZmKQSFDCZX encrypted password names of ! interface Ethernet0/0 nameif inside security-level 100 address 172.16.3.2 IP 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 IP 200.20.20.1 255.255.255.0 ! interface Ethernet0/1.1 VLAN 1 nameif outside1 security-level 0 no ip address ! interface Ethernet0/2 Shutdown No nameif no level of security no ip address ! interface Ethernet0/3 Shutdown No nameif no level of security no ip address ! interface Ethernet0/4 Shutdown No nameif no level of security no ip address ! interface Ethernet0/5 Shutdown No nameif no level of security no ip address ! 2KFQnbNIdI.2KYOU encrypted passwd passive FTP mode object-group, net-LAN object-network 172.16.0.0 255.255.255.0 object-network 172.16.1.0 255.255.255.0 object-network 172.16.2.0 255.255.255.0 object-network 172.16.3.0 255.255.255.0 object-group, NET / remote object-network 172.16.100.0 255.255.255.0 object-network 172.16.101.0 255.255.255.0 object-network 172.16.102.0 255.255.255.0 object-network 172.16.103.0 255.255.255.0 object-group network net-poolvpn object-network 192.168.11.0 255.255.255.0 access list outside nat extended permit ip net local group object all access-list extended sheep allowed ip local object-group net object-group net / remote access-list extended sheep allowed ip local object-group net net poolvpn object-group access-list splittun-vpngroup1 extended permitted ip local object-group net net poolvpn object-group pager lines 24 Within 1500 MTU Outside 1500 MTU outside1 MTU 1500 IP local pool ippool 192.168.11.1 - 192.168.11.100 mask 255.255.255.0 no failover ICMP unreachable rate-limit 100 burst-size 10 don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0 access-list sheep NAT (inside) 1 access list outside nat Route outside 0.0.0.0 0.0.0.0 200.20.20.1 1 Route inside 172.16.0.0 255.255.255.0 172.16.3.2 1 Route inside 172.16.1.0 255.255.255.0 172.16.3.2 1 Route inside 172.16.2.0 255.255.255.0 172.16.3.2 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute dynamic-access-policy-registration DfltAccessPolicy the ssh LOCAL console AAA authentication No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac 86400 seconds, duration of life crypto ipsec security association Crypto ipsec kilobytes of life security-association 400000 Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA card crypto VPNL2L 1 match for sheep card crypto VPNL2L 1 set peer 200.30.30.1 VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map outside_map interface card crypto outside crypto isakmp identity address
crypto ISAKMP allow outside crypto ISAKMP policy 20 preshared authentication 3des encryption md5 hash Group 2 life 86400 crypto ISAKMP policy 30 preshared authentication aes-256 encryption sha hash Group 2 life 86400 crypto ISAKMP policy 65535 preshared authentication 3des encryption sha hash Group 2 life 86400 Telnet timeout 5 SSH timeout 5 Console timeout 0
a basic threat threat detection Statistics-list of access threat detection ! ! internal vpngroup1 group policy attributes of the strategy of group vpngroup1 banner value +++ welcome to Cisco Systems 7.0. +++ value of 192.168.0.1 DNS server 192.168.1.1 Split-tunnel-policy tunnelspecified Split-tunnel-network-list value splittun-vpngroup1 value by default-ad domain - domain.local Split-dns value ad - domain.local the address value ippool pools username password asa1 VRTlLlJ48/PoDKjS encrypted privilege 15 tunnel-group 200.30.30.1 type ipsec-l2l IPSec-attributes tunnel-group 200.30.30.1 pre-shared-key *. type tunnel-group vpngroup1 remote access tunnel-group vpngroup1 General-attributes ippool address pool Group Policy - by default-vpngroup1 vpngroup1 group of tunnel ipsec-attributes pre-shared-key *. context of prompt hostname Cryptochecksum:00000000000000000000000000000000 : end ASA2 (config) #sh run Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac tunnel-group 200.30.30.1 type ipsec-l2l my topology: I try with the following links, but did not work http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080912cfd.shtml http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml Best regards... "" I thing both the force of the SAA with the new road outside, why is that? ". without the road ASA pushes traffic inward, by default. In any case, this must have been a learning experience. Hopefully, this has been no help. Please rate, all the helful post. Thank you Rizwan Muhammed. How many group Supportepar ASA 5520 vpn for remote access Hello Howmany vpn group is supported on asa 5520 with configuraion vpn remote access. Concerning 1 if nat-control is disabled and you do not have any other order NAT in your config file, you do not have it. Try to remove the existing "NAT 0" command and "clear xlate." 2. you must ensure that your network inside know they can go by ASA to access remote vpn client IP. You have any device layer 3 behind the ASA that does the routing. If so, please verify that this is the routing table. What VPN work as a PPTP vpn firewall CISCO-ASA-5520. Hi all Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520. You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed. Michael Please note all useful posts VPN established but the customer can not access the internet... Need help. Hi all I'm trying to get a functional ASA 5505 appliance but does not always succeed. I managed to get connected to the ASA VPN client, but once connected, vpn client cannot access the internet. I am trying to route traffic from the client to the VPN server so I don't want to split tunneling. Here is the sketch of the testbed of the network: DNS:210.193.2.66 The ASA 5505 config is as shown below: Output from the command: 'show running-config '. : Saved
a basic threat threat detection a few thoughts permit same-security-traffic intra-interface NAT (outside) 1 your pool of vpn client ASA sysopt connection permit VPN ASA sysopt connection permit-ipsec Cisco ASA 5510 VPN with PIX 515 Hello I have VPN between Cisco ASA and Cisco PIX. I saw in my syslog server this error that appears once a day, more or less: Received a package encrypted with any HIS correspondent, drop I ve seen issue in another post, but in none of then the solution. Here are my files from the firewall configuration: Output from the command: 'show running-config '. : Saved ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 8.0 (4) version PIX If you need more information dedailed ask me questions. Thanks in advance for your help. Javi Hi Javi, Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages. http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426 Thank you and best regards, Assia HOW TO FIND THE BALANCE ON MY CARD? How will I know how much is left on my iTune cards? Classic MAC mouse clicks as unintentionally right click Hello world After that a new piece of software has been installed on my MAC (Microsoft Remote Desktop), my normal left click on act as a right click. With a small violin I can get to answer as usual, but it is very frustrating. The company requires m Where do I find the I Cloud Drive (app) on my iPhone. I have an I have Cloud account but am new to its use. I have the current OS on my I phone and I would like the I use Cloud drive. Don't know where to find the app for it? tfleig Pavilion dv7t-3300: weird behavior after adding the SSD and RAM upgrade Has just added a new HD SSD to my note as "disk 1"(the former one is 'disk 0', he has a Win. " 8.1 works). Installed Win. 10 in the new drive and everything has worked well so far. I tried to upgrade the memory, so I bought two Crucial DDR3 1333 with How to make a bar of menus at the top of the page? I've upgraded to the latest version of Firefox this morning. I have no top menu bar. I did the alt version and then to download the extension as a pages said. There is no new extensions. This has happened Each time Firefox opened is 01/08/10Similar Questions
Mikael
allowed to access list acl sheep line 20 extended ip 192.168.10.0 255.255.255.0 172.23.20.0 255.255.255.128
allowed to access list acl sheep line 20 extended ip 192.168.180.0 255.255.255.240 172.23.20.0 255.255.255.128
allowed to Access-list splitTunnel_raacl line 2 extended ip 192.168.180.0 255.255.255.240 all
allowed to Access-list ra_acl line 2 extended ip all 192.168.180.0 255.255.255.240
AAA-server non-retail-VPN (inside) host 192.168.200.14
3n0cr1ght5 key
Non-retail-VPN (inside) host 192.168.10.9 AAA-server
3n0cr1ght5 key
RAVPN group policy attributes
VPN-idle-timeout 30
VPN-filter value ra_acl
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list splitTunnel_raacl
attributes global-tunnel-group RAVPN
address-ra-pool
Group Policy - by default-RAVPN
IPSec-attributes tunnel-group RAVPN
pre-shared key xxxx
========================================================================
2 IKE peers: 94.58.71.99
Type: user role: answering machine
Generate a new key: no State: AM_ACTIVE
address of the peers: 94.58.71.99
Tag crypto map: RAVPN, seq num: 23, local addr: x.x.x.x
Remote ident (addr, mask, prot, port): (172.23.20.2/255.255.255.255/0/0)
current_peer: 94.58.71.99, username: shanilra
dynamic allocated peer ip: 172.23.20.2
#pkts decaps: 117, #pkts decrypt: 117, #pkts check: 117
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0Bug CSCsr31403
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
86400 seconds, duration of life crypto ipsec security association
Crypto ipsec kilobytes of life security-association 400000
card crypto VPNL2L 1 match for sheep
card crypto VPNL2L 1 set peer 200.30.30.1
VPNL2L 1 transform-set ESP-3DES-MD5 crypto card game
VPNL2L interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 20
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
IPSec-attributes tunnel-group 200.30.30.1
pre-shared key cisco
|
|
Inside --------- Outside --------- -------------------
192.168.1.1 | | 202 *. *. 84 202.*. *. 1. | [ ]
---------------------- ASA |------------------------------------- GW |----------[ INTERNET ]
| | 5505. | | | [ ]
| | --------| | --------- -------------------
Host_A | 202.*. *. 83
192.168.1.5 -------------
| NetGear |
| Router |
--------------
| 192.168.2.1.
|
|
HOST_B |
Physical addr:192.168.2.2
Addr:192.168.3.1 VPN
:
ASA Version 8.2 (1)
!
ciscoasa hostname
activate 0cMYKRmmOdVhcSr4 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 202.*. *. 84 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
inside_nat0_outbound list of allowed ip extended access any 192.168.3.0 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool vpnpool 192.168.3.1 - 192.168.3.20 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 202.128.171.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.128 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
enable client-implementation to date
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.20 inside
dhcpd dns 210.193.2.66 210.193.2.34 interface inside
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
Group Policy Reveal internal
Group Policy attributes Reveal
Protocol-tunnel-VPN IPSec
username password alice tnbrh7ICan8mnq/Y encrypted privilege 0
alice username attributes
Strategy Group-VPN-Reveal
tunnel-group Reveal type remote access
tunnel-group reveal General attributes
address vpnpool pool
Group Policy - by default-Reveal
tunnel-group show ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:bfb0083a8eb2416e9cc27befe3b224d9
: end
:
ASA Version 8.2 (1)
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
card crypto WAN_map2 2 set pfs
card crypto WAN_map2 2 peer 62.80.XX game. XX
map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
card crypto WAN_map2 2 defined security-association 2700 seconds life
card crypto WAN_map2 2 set nat-t-disable
card crypto WAN_map2 WAN interface
enable LAN crypto ISAKMP
ISAKMP crypto enable WAN
crypto ISAKMP policy 1
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
tunnel-group 62.80.XX. XX type ipsec-l2l
tunnel-group 62.80.XX. IPSec-attributes of XX
pre-shared-key *.
!
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
card encryption VPN_map2 3 set pfs
card crypto VPN_map2 3 peer 194.30.XX game. XX
VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
card encryption VPN_map2 3 defined security-association life seconds 2700
card encryption VPN_map2 3 set security-association kilobytes of life 4608000
card VPN_map2 3 set nat-t-disable encryption
VPN crypto map VPN_map2 interface
crypto ISAKMP enable VPN
crypto ISAKMP allow inside
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
ISAKMP crypto am - disable
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec
tunnel-group 194.30.XX. XX type ipsec-l2l
tunnel-group 194.30.XX. IPSec-attributes of XX
pre-shared-key *.Maybe you are looking for