Cisco 1841 how vpn tunnels? default 100vpn?

Hi everyone, I have read the previous posts and I read that the cisco 1841 can manage up to 100 default VPN tunnels.

1. is this true?  (I enclose my worm of show)

2. this version of IOS support SSL VPN tunnels as well?

SH ver
Cisco IOS Software, 1841 (C1841-ADVSECURITYK9-M), Version 12.4 (3i), VERSION of the SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Updated Thursday 28 November 07 18:48 by stshen

ROM: System Bootstrap, Version 12.4 (13r) T, RELEASE SOFTWARE (fc1)

Uptime SPAREROUTER is 7 minutes
System to regain the power ROM
System image file is "flash: c1841-advsecurityk9 - mz.124 - 3i.bin".

... Output omitted

Cisco 1841 (revision 7.0) with 234496 K/K 27648 bytes of memory.
Card processor ID FTX1151Y0BQ
2 FastEthernet interfaces
1 module of virtual private network (VPN)
Configuration of DRAM is 64 bits wide with disabled parity.
191K bytes of NVRAM memory.
62720K bytes of ATA CompactFlash (read/write)

Configuration register is 0 x 2102

SPAREROUTER #.

Thank you

Randall

Hello

I guess that means that the total number of vpn ipsec tunnels taken in charge by the router of SSL VPN AIM is 800.

If you want only a SSL VPN without the AIM module can it be based on the license.

Kind regards

Anisha

P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

Tags: Cisco Security

Similar Questions

  • How to Setup Cisco 1841 as a site to site VPN VPN server, with watch guard

    I would like to implement a cisco 1841 as a VPN server to establish s IP VPN (site to another) of a watch guard firewall,.

    I have looked through some examples of cisco config, but can't seem to get a lot.

    Can you please send me sample config steps I need o perform on the cisco router? and what credentials must be awarded to watch keeps establishing a permanent VPN?

    emergency assistance will be greatly appreciated.

    The cisco router is configured as a lan to lan normal IPSEC tunnel, there is no difference when configuration to create a tunnel to a watchguard/sonicwall or all that peer will use, you can use this link as a guide:

    http://www.Cisco.com/en/us/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

    If you have problems make me know.

  • Cisco 1921 - how to configure VPN multiple Tunnels to AWS

    I have a router VPN Cisco 1921. I managed to create tunnel VPN Site to Site with AWS VPN Tunnel 1. AWS offers 2 tunnels, so I created another card Crypto and attaches to the existing policy. But the 2nd tunnel won't come. I don't know what I'm missing... is there a special setup that needs to be done to allow multiple IPsec vpn tunnels on the same physical interface? I have attached a picture and included the configuration of my router, if it helps.

    C1921 #sh run
    Building configuration...

    Current configuration: 2720 bytes
    !
    ! Last configuration change at 02:12:54 UTC Friday, may 6, 2016, by admin
    !
    version 15.5
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname C1921
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 52000
    enable secret 5 $1$ jc6L$ uHH55qNhplouO/N5793oW.
    !
    No aaa new-model
    Ethernet lmi this
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    Research of IP source-interface GigabitEthernet0/1 domain
    IP cef
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    !
    !
    license udi pid CISCO1921/K9 sn FTX1845F03F
    !
    !
    username admin privilege 15 password 7 121A0C041104
    paul privilege 0 7 password username 14141B180F0B
    !
    redundancy
    !
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 2
    lifetime 28800
    ISAKMP crypto keys secret1 address 52.35.42.787
    ISAKMP crypto keys secret2 address 52.36.15.787
    !
    !
    Crypto ipsec transform-set AWS - VPN aes - esp esp-sha-hmac
    tunnel mode
    !
    !
    !
    map SDM_CMAP_1 1 ipsec-isakmp crypto
    Description Tunnel 1 to 52.35.42.787
    defined by peer 52.35.42.787
    game of transformation-AWS-VPN
    PFS group2 Set
    match address 100
    map SDM_CMAP_1 2 ipsec-isakmp crypto
    Description 2 to 52.36.15.787 Tunnel
    defined by peer 52.36.15.787
    game of transformation-AWS-VPN
    PFS group2 Set
    match address 100
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    Description connection Wan WAN - ETH$
    IP address 192.168.1.252 255.255.255.0
    automatic duplex
    automatic speed
    map SDM_CMAP_1 crypto
    !
    interface GigabitEthernet0/1
    Description of the connection to the local network
    IP 192.168.0.252 255.255.255.0
    automatic duplex
    automatic speed
    !
    IP forward-Protocol ND
    !
    IP http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP route 0.0.0.0 0.0.0.0 192.168.1.254 permanent

    !
    recording of debug trap
    host 192.168.0.3 record
    host 192.168.0.47 record
    !
    !
    Note access-list 100 permit to AWS Tunnel 1
    Access-list 100 CCP_ACL category = 20 note
    access-list 100 permit ip 192.168.0.0 0.0.0.255 any what newspaper
    Note access-list 101 permit to AWS Tunnel 2
    Note access-list 101 category CCP_ACL = 4
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any logexit
    !
    control plan
    !
    !
    alias con exec conf t
    SIB exec show int short ip alias
    alias exec srb see the race | b
    sri alias exec show run int
    !
    Line con 0
    exec-timeout 0 0
    Synchronous recording
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    local connection
    transport of entry all
    transportation out all
    !
    Scheduler allocate 20000 1000
    !
    end

    There should be no second tunnel.

    I use either a peer or the other, but not both at the same time.

    To display both at the same time, you need to use the Tunnel interfaces.  Amazon would have you sent pretty much the exact commands to copy and paste into.

  • Cisco 1841 to Vigor VPN

    Hi all

    I desperately need help. I spent the last 48 hrs trawling internet try to find how to set up secessfully

    I have port ports 80 and 443 forwarded for 78.25.xxx.xxx to our 192.168.6.65 local mail server. But all im presented with is unable to display the page when I try and connect to the external IP address on the local network. But if I try this address outside the local access network, then it works fine?

    My other problem I have is that I would like to setup 7 vpn which all dial for this router. They are configured to use ipsec with a preshared key ike. The dial of the router are vigor 2600-2820 series and I was going to use the following configuration to the cisco but it crashes card crypto cm-cryptomap.

    If anyone can help me I would really really appreciate it.

    Network configuration
    IP PUBLIC IP PRIVATE
    HUB (CISCO 1841) 192.168.6.0 SITE 78.XX. XXX.48
    SITE SPOKE (VIGOR 2600) 192.168.88.0 85.XX. XXX.85

    # tried vpn config that did not work.

    crypto ISAKMP policy 1
    md5 hash
    preshared authentication
    life 3600
    ISAKMP crypto key 123 address 85.189.xxx.xxx (site of talk)
    Crypto ipsec transform-set esp cm-transformset-1-esp-md5-hmac
    Dimensions of tunnel mib crypto ipsec flowmib history 200
    MIB crypto ipsec flowmib size of 200 historical failure
    Crypto card cm-cryptomap-address FastEthernet0/0
    cm-cryptomap 1 ipsec-isakmp crypto map
    defined by peer 85.189.155.85 (site of talk)
    the value of the transform-set cm-transformset-1
    match address 100

    interface FastEthernet0/0
    cm-cryptomap crypto card
    access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

    Here is the config complete less info vpn that works perfectly with bonded adsl
    # FULL CONFIG #.

    Current configuration: 3938 bytes
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    BURTON hostname
    !
    boot-start-marker
    boot-end-marker
    !
    activate the FBI secret 5
    activate the password xxxxxxxxxxx
    !
    No aaa new-model
    IP cef
    !
    !
    property intellectual auth-proxy max-nodata-& 3
    property intellectual admission max-nodata-& 3
    !
    !
    name of the IP-server 62.121.0.2
    name of the IP-server 195.54.225.10
    !
    !
    Crypto pki trustpoint TP-self-signed-692553461
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 692553461
    revocation checking no
    rsakeypair TP-self-signed-692553461
    !
    !
    TP-self-signed-692553461 crypto pki certificate chain
    certificate self-signed 01
    308201A 5 A0030201 02020101 3082023C 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
    69666963 36393235 35333436 31301E17 313031 31323431 34343930 0D 6174652D
    325A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
    532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3639 32353533 642D
    06092A 86 4886F70D 01010105 34363130 819F300D 00308189 02818100 0003818D
    BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
    B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
    20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
    FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
    02030100 01A 36630 03551 D 13 64300F06 0101FF04 05300301 01FF3011 0603551D
    11040A 30 08820642 5552544F 4E301F06 23 04183016 03551D 8014645E 3FDE4E90
    A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
    77358081 EE4217F4 3A300D06 01040500 03818100 86F70D01 82123899 092A 8648
    B9B21771 6B8C0F9E C66B907A AC7A09BF 1FFCB332 0C7B6446 22483 HAS 32 5EE7D1FC
    128A 9224 30964615 E70FFE29 513455AB 6A1747C4 250070DF 4ABE123D 0A29DD8B
    E67A33F0 4E61AB87 9AE1D2DC 72741BE7 3A9AD79D 13B622B3 BCADCDAA 9D5EA74C
    567D AD429722 9AE90E13 7D80027F 4FA37A7F 65014 2852 HAS 45 43CB141C 36FCB96B
    quit smoking
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    Description $ETH - LAN$
    IP 192.168.6.40 255.255.255.0
    IP nat inside
    IP virtual-reassembly
    automatic duplex
    automatic speed
    !
    interface FastEthernet0/1
    no ip address
    Shutdown
    automatic duplex
    automatic speed
    !
    ATM0/0/0 interface
    no ip address
    no ip mroute-cache
    No atm ilmi-keepalive
    Bundle-enable
    DSL-automatic operation mode
    PVC 0/38
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    !
    ATM0/1/0 interface
    no ip address
    no ip mroute-cache
    No atm ilmi-keepalive
    Bundle-enable
    DSL-automatic operation mode
    PVC 0/38
    aal5mux encapsulation ppp Dialer
    Dialer pool-member 1
    !
    !
    interface Dialer0
    the negotiated IP address
    NAT outside IP
    IP virtual-reassembly
    encapsulation ppp
    Dialer pool 1
    Dialer-Group 1
    PPP reliable link
    Authentication callin PPP chap Protocol
    PPP chap hostname [email protected] / * /
    PPP chap password 0 xxxxxxxx
    PPP ipcp dns request
    reorganizes the PPP link
    multilink PPP Panel
    PPP multilink sliding 16 mru
    period of PPP multilink fragment 10
    Panel multilink PPP interleave
    multiclass multilink PPP
    !
    IP forward-Protocol ND
    IP route 0.0.0.0 0.0.0.0 Dialer0
    !
    IP http server
    IP http secure server
    overload of IP nat inside source list 100 interface Dialer0
    IP nat inside source static tcp 192.168.6.65 25 interface Dialer0 25
    IP nat inside source static tcp 192.168.6.45 Dialer0 1723 1723 interface
    IP nat inside source static tcp 192.168.6.65 80 78.XX. XXX.61 extensible 80
    IP nat inside source static tcp 192.168.6.65 78.XX 443. XXX.61 extensible 443
    IP nat inside source static tcp 192.168.6.30 80 78.XX. XXX.62 extensible 80
    IP nat inside source static tcp 192.168.6.30 78.XX 443. XXX.62 extensible 443
    !
    access-list 100 permit ip 192.168.6.0 0.0.0.255 any
    Dialer-list 1 ip protocol allow
    public RO SNMP-server community
    !
    !
    control plan
    !
    !
    Line con 0
    line to 0
    line vty 0 4
    password xxxxxxxxxxxx
    opening of session
    !
    Scheduler allocate 20000 1000
    end

    Cryptography works fine it seems.

    The error you receive is I think because that side vigor is able to encrypt a subnet ip (range) that is not defined by Cisco.

    The force he sends down to Cisco and after decrypting the Security Association IPSEC is a fall because it does not part of interesting traffic.

    But, I guess you're already running.

  • Cisco 1841 ipsec tunnel protocol down after a minute

    I have a strange problem where im manages to get a tha cisco ipsec tunnel 1841 to a RV016 linksys/cisco for about a minute and ping/encrypt the packets through the linen for about a minute before it breaks down. I tried different configuration and it all results in the tunnel for a minute then descend to come. I don't know if im hitting a bug and decide to if im doing something wrong.

    any help is appreciated paul

    RV016 firmware 2.0.18

    Cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4 (24) T

    my config

    no default isakmp crypto policy

    !

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    lifetime 28800

    ISAKMP crypto key address 0.0.0.0 eaton1234 0.0.0.0

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac ESSTS

    transport mode

    no default crypto ipsec transform-set

    !

    Crypto ipsec profile ipsec_profile1

    Description in the location main site to site VPN tunnel

    game of transformation-ESSTS

    PFS group2 Set

    !

    !

    !

    !

    !

    !

    !

    Tunnel1 interface

    Description of the location of the hand

    IP unnumbered Serial0/0/0

    source of tunnel Serial0/0/0

    destination 209.213.x.x tunnel

    ipv4 ipsec tunnel mode

    tunnel path-mtu-discovery

    protection of ipsec profile ipsec_profile1 tunnel

    !

    a debug output

    Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 the proposal

    Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 of the proposal

    (Eng. msg key.) Local INCOMING = 209.213.xx.46, distance = 209.213.xx.164,.

    local_proxy = 10.20.86.0/255.255.255.0/0/0 (type = 4),

    remote_proxy = 10.0.0.0/255.255.255.0/0/0 (type = 4),

    Protocol = ESP, transform = NONE (Tunnel),

    lifedur = 0 and 0kb in

    SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

    Apr 24 16:42:07: mapdb Crypto: proxy_match

    ADR SRC: 10.20.86.0

    ADR DST: 10.0.0.0

    Protocol: 0

    SRC port: 0

    DST port: 0

    Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

    Apr 24 16:42:07: mapdb Crypto: proxy_match

    ADR SRC: 10.20.86.0

    ADR DST: 10.0.0.0

    Protocol: 0

    SRC port: 0

    DST port: 0

    Apr 24 16:42:07: IPSEC (policy_db_add_ident): src dest 10.0.0.0, 10.20.86.0, dest_port

    0

    Apr 24 16:42:07: IPSEC (create_sa): its created.

    (his) sa_dest = 209.213.xx.46, sa_proto = 50,.

    sa_spi = 0x4CF51011 (1291128849).

    sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2045

    sa_lifetime(k/sec) = (4463729/3600)

    Apr 24 16:42:07: IPSEC (create_sa): its created.

    (his) sa_dest = 209.213.xx.164, sa_proto = 50,.

    sa_spi = 0x1EB77DAF (515341743).

    sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2046

    sa_lifetime(k/sec) = (4463729/3600)

    Apr 24 16:42:07: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

    you to

    Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

    Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP

    Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): select SA with spinnaker 515341743/50

    Apr 24 16:42:07: IPSEC (update_current_outbound_sa): update peer 209.213.xx.164 curre

    NT his outgoing to SPI 1EB77DAF

    Apr 24 16:42:12: IPSEC (key_engine): request timer shot: count = 1,.

    local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

    Apr 24 16:42:12: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 209.213.xx.46, distance = 209.213.xx.164,.

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),

    lifedur = 3600 s and KB 4608000,

    SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

    Apr 24 16:42:42: IPSEC (key_engine): request timer shot: count = 2,.

    local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

    Apr 24 16:42:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

    you all the downu

    All possible debugging has been disabled

    I would try to set up a VPN Interface virtual Tunnel on the IOS router base and the value of defined transformation in tunnel mode no transport.

    In history, I have had several issues with VPN between a router IOS and the series RV.

  • VPN on Cisco 1841 router

    Hello

    I need to configure the vpn site to site on router cisco 1841, but the problem is that the router does not recognize the crypto comand.

    R1 #conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    R1 (config) #crypto?
    % Unrecognized command
    R1 (config) #crypto?
    % Unrecognized command
    R1 (config) #c?
    call call-history-mib id-carrier cdp
    chat script class-card clock SNC
    config-register connect plan control configuration

    R1 (config) #crypto isakmp policy 1

    ^
    Invalid entry % detected at ' ^' marker.

    R1 #sh worm
    Cisco IOS Software, 1841 (C1841-IPBASE-M), Version 12.4 (1 c), RELEASE SOFTWARE (fc1)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2005 by Cisco Systems, Inc.
    Updated Wednesday 25 October 05 17:10 by evmiller

    ROM: System Bootstrap, Version 12.3 T9 (8r), RELEASE SOFTWARE (fc1)

    the availability of CS-Khatlon-opio-01 is 2 days, 23 hours, 13 minutes
    System returned to ROM of charging at 16:07:44 TJK Friday, November 7, 2014
    System image file is "flash: c1841-ipbase - mz.124 - 1C.bin.

    Cisco 1841 (revision 6.0) with 114688K / 16384K bytes of memory.
    Card processor ID FCZ102110NQ
    2 FastEthernet interfaces
    Configuration of DRAM is 64 bits wide with disabled parity.
    191K bytes of NVRAM memory.
    31360K bytes of ATA CompactFlash (read/write)

    Configuration register is 0 x 3922

    Please help, how to set up vpn?

    Hello

    According to this output is more than clear that you do not have a k9 license applied to this router, this license will enable the security features on your IOS, in this case, you will need a permit of k9 with an activation key, and then you will be able to have available on your device encryption controls. Once you have that we can work on configuring site to site.

    Do not forget to rate!

    David Castro,

    Kind regards

  • ASA to 1841 VPN Tunnel

    Hello

    I am trying to establish a VPN tunnel from site to site between 2 offices. An agency has a Cisco 1841 and the other a pair of ASA 5510. I get the tunnel to establish without problem. The problem is that traffic will the intended to the ASA 1841 will not encrypt to this particular tunnel. I get decaps on the session, but no program. I've reconfigured the tunnel several times but keep getting the same result:

    Interface: FastEthernet0/1
    The session state: UP-ACTIVE
    Peer: 202.41.148.5 port fvrf 500: (none) ivrf: (none)
    Phase1_id: 202.41.148.5
    DESC: (none)
    IKE SA: local 81.218.42.130/500 remote 202.41.148.5/500 Active
    Capabilities: (None) connid:98 life time: 23:45:02
    FLOW IPSEC: allowed ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0
    Active sAs: 2, origin: card crypto
    On arrival: dec #pkts'ed 17 drop 0 life (KB/s) 4569995/2704
    Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4569996/2704

    Any suggestions would be greatly appreciated.

    Andy

    Your ACL 100 is not exempt traffic 192.168.5.0-> 10.0.96.0 of the NAT process.  Please add the line below above the permit statement and test again.

    access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.96.0 0.0.15.255

  • NAT before going on a VPN Tunnel Cisco ASA or SA520

    I have a friend who asked me to try to help.  We are established VPN site to site with a customer.  Our camp is a Cisco sa520 and side there is a control point. The tunnel is up, we checked the phase 1 and 2 are good. The question is through the tunnel to traffic, our LAN ip address are private addresses 10.10.1.0/24 but the client says must have a public IP address for our local network in order to access that server on local network there.  So, in all forums, I see that you cannot NAT before crossing the VPN tunnel, but our problem is that our site has only 6 assigned IP addresses and the comcast router, on the side of the firewall SA520 WAN.  So we were wondering was there a way we can use the WAN on the SA520 interface or use another available 6 who were assigned to the NAT traffic and passes through the tunnel.  That sounds confusing to you?  Sorry, but it's rarely have I a customer say that I must have a public IP address on my side of the LAN.  Now, I say this is a SA520 firewall, but if it is not possible to do with who he is a way were able with an ASA5505?

    Help or direction would be very useful.

    Hello

    I guess I could quickly write a basic configuration. Can't be sure I remember all correctly. But should be the biggest part of it.

    Some of the course settings may be different depending on the type of VPN L2L connection settings, you have chosen.

    Naturally, there are also a lot of the basic configuration which is not mentioned below.

    For example

    • Configurations management and AAA
    • DHCP for LAN
    • Logging
    • Interface "nonstop."
    • etc.

    Information for parameters below

    • x.x.x.x = ASA 'outside' of the public IP interface
    • y.y.y.y = ASA "outside" network mask
    • z.z.z.z = ASA "outside" IP address of the default gateway
    • a.a.a.a = the address of the remote site VPN L2L network
    • b.b.b.b = mask of network to the remote site VPN L2L
    • c.c.c.c = IP address of the public peer device VPN VPN L2L remote site
    • PSK = The Pre Shared Key to connect VPN L2L

    Interfaces - Default - Access-list Route

    interface Vlan2

    WAN description

    nameif outside

    security-level 0

    Add IP x.x.x.x y.y.y.y

    Route outside 0.0.0.0 0.0.0.0 z.z.z.z

    interface Ethernet0

    Description WAN access

    switchport access vlan 2

    • All interfaces are on default Vlan1 so their ' switchport access vlan x "will not need to be configured

    interface Vlan1

    LAN description

    nameif inside

    security-level 100

    10.10.1.0 add IP 255.255.255.0

    Note to access the INSIDE-IN list allow all local network traffic

    access to the INTERIOR-IN ip 10.10.1.0 list allow 255.255.255.0 any

    group-access INTERIOR-IN in the interface inside

    Configuring NAT and VPN L2L - ASA 8.2 software and versions prior

    Global 1 interface (outside)

    NAT (inside) 1 10.10.1.0 255.255.255.0

    Crypto ipsec transform-set AES-256 aes-256-esp esp-sha-hmac

    crypto ISAKMP policy 10

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    lifetime 28800

    L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

    card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

    card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

    card crypto WAN-CRYPTOMAP 10 the value transform-set AES-256

    card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

    CRYPTOMAP WAN interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    tunnel-group c.c.c.c type ipsec-l2l

    tunnel-group c.c.c.c ipsec-attributes

    pre-shared key, PSK

    NAT and VPN L2L - ASA 8.3 software configuration and after

    NAT source auto after (indoor, outdoor) dynamic one interface

    Crypto ipsec transform-set ikev1 AES-256 aes-256-esp esp-sha-hmac

    IKEv1 crypto policy 10

    preshared authentication

    aes-256 encryption

    sha hash

    Group 2

    lifetime 28800

    L2L-VPN-CRYPTOMAP of the access list allow ip x.x.x.x a.a.a.a b.b.b.b host

    card crypto WAN-CRYPTOMAP 10 matches L2L-VPN-CRYPTOMAP address

    card crypto WAN-CRYPTOMAP 10 set peer c.c.c.c

    card crypto WAN-CRYPTOMAP 10 set transform-set AES-256 ikev1

    card crypto WAN-CRYPTOMAP 10 set security-association second life 3600

    CRYPTOMAP WAN interface card crypto outside

    crypto isakmp identity address

    Crypto ikev1 allow outside

    tunnel-group c.c.c.c type ipsec-l2l

    tunnel-group c.c.c.c ipsec-attributes

    IKEv1 pre-shared key, PSK

    I hope that the above information was useful please note if you found it useful

    If it boils down to the configuration of the connection with the ASA5505 and does not cut the above configuration, feel free to ask for more

    -Jouni

  • Cisco 881 - maximum number of VPN tunnels allowed?

    Hello

    I know it sounds simple and easy question, but I can't find the answer anywhere - so here it is: -.

    I need to know the maximum number of vpn tunnels that can manage a Cisco 881.

    (In the context, we have a group of users who work from home and office, so their laptops have the cisco vpn client, I need to know how much of these vpn connections the 881 can manage both before, he died a death)

    Host-, I read somewhere a line that State maximum number of users is 20 but believe it was referring to a VOIP service.

    Thanks in advance.

    The 881 supports 20-tunnel IPSec:

    http://www.Cisco.com/en/us/prod/collateral/routers/ps380/data_sheet_c78_459542_ps380_Products_Data_Sheet.html

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • How to get to the VPN tunnel to the subnet 2/3

    I have not yet tried something else a few years back I got on my back which head with an ASA firewall you cannot route traffic to a subnet of second or third (it's 2 or 3 jumps away) on a same VPN tunnel if you add routes to all LAN subnets in all required firewall and tunnels.

    I know other manufacturers such as SonicWall, here you can do it, so the question is, is possible in the firewall Cisco ASA with version 7.07 and 7.2.4? If this is not the case, is it possible in a future release? and if this is not possible, how can I make it work? I can't work with a firewall router 1 LAN to LAN s 3?

    Attached are also a network card for the visualization of all subnets.

    Thanks in advance

    Johan Mannerstrom

    ICT technician

    If the firewall HQ is already connected to LAN2 (way I mean), then you have even connect an interface on the firewall of HQ and in him giving an ip address that belongs to LAN2. As firewall HQ has a route to 192.168.20.0/24 and 18.0/24 and vice versa, that's enough.

    And you're on the point on the rest of the steps you have provided regarding the config.

    And of course, you must configure matching exemption to ACL and NAT image mirror on the remote VPN encryption too.

  • How to reset the password of the router cisco 1841

    Hello

    HAVA router cisco 1841 forgotten username and password and it had to rely on its setting default help pls

    I tried boot while now ctrl and break enter rommon1 >

    rommon1 > confreg 0 * 2142

    rommon1 > reset

    still shows rommon 3 >

    pls help, he asks user name and password and don't remember them both

    THX

    J

    You must start the router after that.

    Type the rommon starting if you have set the boot variable correctly

  • VPN tunnel between the concentrator 3005 and router Cisco 827

    I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

    There is a router of perimeter with access set up in front of the 3005 list.

    I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

    I get the following message appears when I try to ping a local host in the Central site.

    Can Anyoune give me the correct steps to 827 and 3005.

    Thank you

    CCNP Ansar.

    ------------------------------------------------------------------------------------------------------

    Debug crypto ISAKMP

    encryption of debugging engine

    Debug crypto his

    debug output

    ------------------

    1d20h: IPSEC (sa_request):,.

    (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

    local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

    remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

    Protocol = ESP, transform = esp - esp-md5-hmac.

    lifedur = 3600 s and KB 4608000,

    SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

    1d20h: ISAKMP: ke received message (1/1)

    1d20h: ISAKMP: 500 local port, remote port 500

    1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

    Former State = new State IKE_READY = IKE_I_MM1

    1d20h: ISAKMP (0:1): early changes of Main Mode

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

    1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

    1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

    1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

    1d20h: IPSEC (key_engine): request timer shot: count = 1,.

    You must also allow the esp Protocol in your ACL.

    access-list 101 permit esp any host x.x.x.x (address of the hub)

    Hope this helps,

    -Nairi

  • How to change an existing in ASDM VPN tunnel?

    I currently have a VPN tunnel together upwards, but to change some of the configurations as making ikev2, replacing the SHA512 hash and change it in the DH group 14. I intend to do this in ASDM. I already created a group of tunnel ikev2 that I put the tunnel and created a Card Crypto that is configured with the right proposal ikev2 IPSec and Diffie-Hellman group. All other configurations such as the IP of Peer address and subnets configured and I'll work with the engineers at the other end of the tunnel to ensure that configurations are, I want to just make sure I'm not missing anything. Someone at - he never comes to change the configuration of an existing ASDM so tunnel, and it worked correctly? Here are the steps that I have will be taken as well as those I've already mentioned:

    -Edit the connection profile so that the name of group policy use the correct tunnel that was created for ikev2

    -Enter the pre-shared key local and remote pre-shared key ikev2 tab

    -Change the IKE Policy so that it uses the ikev2 policy that was created to use SHA512

    -Modify the IPSEC proposal so that it uses AES256-SHA512

    -THE CRYPTO MAP IS ALREADY CREATED

    -Change the secret of transfer perfect in group 14

    Hello

    Let me go through your questions to clarify this double:

    1. If I have a Crypto map applied to my external interface with a proposal of IPSec of ikev1 can I just add a proposal ikev2 in this Crypto map as well?

    If you have a card encryption applied to different peers outside and 3 with different order number, you will need to replace the proposal for the peer using IKEv2: IKEv2 IKEv1, the others must continue to use their IKEv1 IPSec proposal.

    2. so can I add an ikev2 with AES256 SHA512 hash proposal to my 123.123.123.456 tunnel group and continue to have all three tunnel groups always pass traffic? What happens if I add the proposal ikev2, but REMOVE the ikev1 this group of tunnel proposal because I don't want this group of tunnel use one other than AES256-SHA512 hash?

    123.123.123.456 - ikev2 - AES256-SHA512

    I would like to expand this a little more, if her counterpart 123.123.123.456, must use IKEv2, you need to declare the IKEv2 in the tunnel group and add the relevant "Local and remote PSK"--> is for phase 1, and this means that it will use the IKEv2 defined policy before, and IPSec IKEv2 proposal is on phase 2, where the encryption card is you will need to replace the IKEv1 and use IPSec IKEv2 proposal. That way it will use for the phase 1 of the policy of IKEv2, that you set and defined transformation IKEv2, by making this change make sure that both sides are mirrored with IKEv2 and IPSec policy projects, as well as the tunnel will remain and will come with the new proposals.

    This custom affect no matter what another tunnel, as long as you change the settings to the correct tunnel group and do not delete all the proposals, simply remove the profile connection, those employees.

    3. you know what I mean? All groups of three tunnels on that off interface use different cryptographic cards, with only two of the three using ikev1 as a proposal of IPSec. Which will work?

    You can only have one card encryption applied by interface, and 3 tunnels using different sequence number with the same crypto map name, you cannot 2 tunnels on the same card encryption using IKEV1, and always in the same encryption card have the third tunnel using IKEv2 (different transformation defined using IKEv2). This custom cause no problem. 

    4. what Group Policy DfltGrpPolicy? Currently use all my groups of tunnel, but it is configured for ikev1. I'm not really sure what role is in everything it can so I simply add ikev2?

    Default group policy is added by default to all your groups of tunnel (connection profile), whenever create you one default group policy is inherited him by default, you can change to group policy that you can create, group policy is a set of attributes that will be used to define something or limit , for example, for a site, you can configure a VPN filter (filters the traffic that goes through the tunnel), now back to your topic, you define the protocols that will be negotiated as for an L2L IKEv1 or IKEv2, Anyconnect SSL or IKEv2, on default group policy, and so on, it is therefore important that you add the IKEv2 , so trading will be permitted, or both to create a new group policy and add the IKEv2 Protocol; and in the tunnel group, add the group policy relevant, that you just created.

    I hope that this is precisely, keep me posted!

    Please go to the note, and mark it as correct this post and the previous that it helped you!

    David Castro,

  • How to limit the bandwidth in the VPN Tunnels in RV082?

    Hello

    It is possible to limit the bandwidth of the IPSEC VPN Tunnels or the traffic that goes through the tunnels?

    Use IP addresses or port numbers the same way and clients when limiting bandwidth to clients in the local network?

    Thank you very much

    Oliver

    There is a way to solve internal IP addresses, protocols or ports and specify the bandwidth

    I send you the links to access information on how to set it up.

    http://www6.nohold.NET/Cisco2/GetArticle.aspx?docid=3c09b393e3744ffd98330fd0031a4aa2_4228.XML&PID=80&converted=0

  • Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

    HelloW everyone.

    I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

    but the vpn does not come to the top. can someone tell me what can be the root cause?

    Here is the configuration of twa asa: (I changed the ip address all the)

    Singapore:

    See the race
    ASA 2.0000 Version 4
    !
    ASA5515-SSG520M hostname
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.15.4 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.5.3 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 160.83.172.8 255.255.255.224
    <--- more="" ---="">
                  
    !
    <--- more="" ---="">
                  
    interface GigabitEthernet0/3
    <--- more="" ---="">
                  
    Shutdown
    <--- more="" ---="">
                  
    No nameif
    <--- more="" ---="">
                  
    no level of security
    <--- more="" ---="">
                  
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.219 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    connection of the banner ^ C please disconnect if you are unauthorized access ^ C
    connection of the banner please disconnect if you are unauthorized access
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    network of the SG object
    <--- more="" ---="">
                  
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.15.202
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    <--- more="" ---="">
                  
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.15.0_24 object
    192.168.15.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    debugging in the history record
    asdm of logging of information
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    no failover
    <--- more="" ---="">
                  
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
    !
    network of the SG object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
    Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
    Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
    Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    <--- more="" ---="">
                  
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server

    Community trap SNMP-server host test 192.168.168.231 *.
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps syslog
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 103.246.3.54
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    tunnel-group 143.216.30.7 type ipsec-l2l
    tunnel-group 143.216.30.7 General-attributes
    Group Policy - by default-GroupPolicy1
    <--- more="" ---="">
                  
    IPSec-attributes tunnel-group 143.216.30.7
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    Overall description
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    <--- more="" ---="">
                  
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:ccce9a600b491c8db30143590825c01d
    : end

    Malaysia:

    :
    ASA 2.0000 Version 4
    !
    hostname ASA5515-SSG5-MK
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.6.70 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.12.2 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 143.216.30.7 255.255.255.248
    <--- more="" ---="">
                  
    !
    interface GigabitEthernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.218 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    <--- more="" ---="">
                  
    Interface Port - Channel 1
    No nameif
    no level of security
    IP 1.1.1.1 255.255.255.0
    !
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    clock timezone GMT + 8 8
    network of the SG object
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    <--- more="" ---="">
                  
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.6.23
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.2.0_24 object
    192.168.6.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    asdm of logging of information
    <--- more="" ---="">
                  
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    reverse IP check management interface path
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
    NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
    !
    network of the MK object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
    <--- more="" ---="">
                  
    Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
    Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
    Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    the ssh LOCAL console AAA authentication
    Enable http server

    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 160.83.172.8
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    SSH timeout 60
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    attributes of Group Policy DfltGrpPolicy
    Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    <--- more="" ---="">
                  
    tunnel-group MK SG type ipsec-l2l
    IPSec-attributes tunnel-group MK-to-SG
    IKEv1 pre-shared-key *.
    tunnel-group 160.83.172.8 type ipsec-l2l
    tunnel-group 160.83.172.8 General-attributes
    Group Policy - by default-GroupPolicy1
    IPSec-attributes tunnel-group 160.83.172.8
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    <--- more="" ---="">
                  
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    Good news, that VPN has been implemented!

    According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

    Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

    In addition, you can try to enable ICMP inspection:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    inspect the icmp error

Maybe you are looking for