Cisco ASA 5505 VPN Site to Site

Similar Questions

• ASA 5505 VPN Site to site with several networks

  Hello

  I have a Cisco ASA 5505 configuration problem and hope you can help me.

  Our company created a second facility, which must be connected using VPN to our headquarters.

  I used the ASDM "Wizard of Site to site VPN" to create a connection, which works very well with our main network.

  Following structure:

  Headquarters:

  Cisco ASA 5505, firmware 9.1, ASDM version 7.1

  Outside: Fixed IP

  Inside: IP address of the interface is 192.168.0.1/24 (data network)

  Now I have a second network 192.168.1.0/24 (VoIP network), PBX address is 192.168.1.10.

  The two networks should be accessible through the VPN.

  New installation:

  Cisco ASA 5505, firmware 9.1, ASDM version 7.1

  Outside: Fixed IP

  Inside: IP address of the interface is 192.168.2.1/24

  I have already created a connection until a PC of the new plant reaches the data network. For example, a ping from 192.168.2.100 to 192.168.0.100 is possible.

  Now, I want to add some VoIP phones to the new facility, which can reach the PBX on 192.168.1.10.

  In the link, I have already added the two networks as remote network:

  object-group network Testgroup network-object 192.168.0.0 255.255.255.0 network-object 192.168.1.0 255.255.255.0 access-list outside_cryptomap extended permit ip object-group Testgroup object Remote-Network 

  My problem now is, I don't know what to define as 'Bridge' on my PBX.

  I can't use 192.168.0.1 because it's a different subnet. Also, I can not put a second IP 192.168.1.1 to the interface of the ASA.

  You have any ideas, how can I accomplish this, so that the two subnets are accessed through the VPN and all devices have a defined gateway?

  Could a "Easy VPN Remote" in "Network Mode" you help me?

  What is the difference between 'Site-to-site' and 'extended network '?

  Kind regards

  Daniel condition, look for the solution GmbH

  You can optionally configure a new LAN VIRTUAL (VLAN PBX) on the SAA and connect this interface to the voice network.

  If you do not have a spare on the ASA port, then Yes, you have a router to route traffic from the PBX to the ASA via the data network.

• Cisco ASA 5510 VPN Site to Site with Sonicwall

  I am trying to configure a tunnel between a Cisco ASA 5510 VPN (Version 8.2 (2)) and TZ200 Sonicwall. I rose tunnel and go and I am able to ping the internal IP address of Cisco ASA of the Sonicwall LAN but nothing work. When I try to ping a host behind the Cisco ASA of the Sonicwall LAN I get the following message "rules asymmetrical NAT matched for flows forward and backward; Connection for tcp src outside:10.20.10.x/xxxx dst inside:10.20.2.x/xxxx refused due to failure of reverse path of NAT"on the SAA

  Googling the error above shows the problems with version 8.3 or later that resembled the nat commands have been changed SAA, train is still on 8.2 but I another common question does not add an exemption of NAT I have double-triple checked that I did add an exception rule of NAT of the hosts on the network from cisco for the guests of the Sonicwall network. Looks like I hit a road block so any help would be appreciated. Thank you

  Here are a few excertps of the config file (10.20.2.0 behind the cisco) and 10.20.10.0 behind the sonicwall

  NAT (inside) 0 access-list sheep

  ..

  IP 10.20.2.0 allow Access-list extended sheep 255.255.255.0 10.20.10.0 255.255.255.0

  access extensive list ip 10.20.2.0 outside_1_cryptomap allow 255.255.255.0 10.20.10.0 255.255.255.0

  ..

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set counterpart x.x.x.x

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  ..

  crypto ISAKMP allow outside

  crypto ISAKMP policy 5

  preshared authentication

  3des encryption

  sha hash

  Group 2

  lifetime 28800

  ..

  internal SiteToSitePolicy group strategy

  attributes of Group Policy SiteToSitePolicy

  VPN-idle-timeout no

  Protocol-tunnel-VPN IPSec

  Split-tunnel-network-list no

  ..

  tunnel-group x.x.x.x type ipsec-l2l

  tunnel-group x.x.x.x General attributes

  Group Policy - by default-SiteToSitePolicy

  tunnel-group ipsec-attributes x.x.x.x

  pre-shared key *.

  ..

  Added some excerpts from the configuration file

  Hello Manjitriat,

  Okay, detected IPSEC parody is normal, that means you are trying to send unencrypted on a line of encrypted packets.

  Now, if you see on the plotter of package that traffic will hollow the VPN channel all its fine in your site.

  Now the packet tracer must be something like this:

  entrance to Packet-trace inside private_ip_lan destination_private_ip_lan 1025 tcp 80

  Please provide us with the result of the following instructions after you run the packet tracer.

  See the crypto Isakamp SA

  See the crypto Ipsec SA

  Kind regards

  Julio

• Cisco ASA 5505 VPN passthrough

  Hello

  @home i'f installed a Cisco asa 5505 because the provider has the modem cable in transparent mode. So I have the public IP address to my firewall.

  Also for the training because we have in the work of the asa. So I have no feeling with her.

  but sometimes I have to build a VPN session to a server at work. But I do not get a connection to the server. If I remove the ASA 5505, then the connection to the server of work is great. But if to ASA 5505 is back in its place. It does not log VPN to the outside world.

  Could someone point me in the right direction?

  It is possible to create a connection out to the Cisco ASA5505 VPN.

  Thanks in advance

  Greetings

  Palermo

  Hi Palermo,

  You do not have to mention the type of VPN connection, you use.

  If the PPTP protocol then you need to inspect the traffic for the SAA allow again from 'outside '. Try the following:

   ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect pptp ! service-policy global_policy global !

  see you soon,

  SEB.

• Cisco ASA 5505 VPN L2TP cannot access the internal network

  Hello

  I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

  Can you jhelp me to find the problem?

  I have Cisco ASA:

  within the network - 192.168.1.0

  VPN - 192.168.168.0 network

  I have the router to 192.168.1.2 and I cannot ping or access this router.

  Here is my config:

  ASA Version 8.4 (3)

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 198.X.X.A 255.255.255.248

  !

  passive FTP mode

  permit same-security-traffic intra-interface

  the net-all purpose network

  subnet 0.0.0.0 0.0.0.0

  network vpn_local object

  192.168.168.0 subnet 255.255.255.0

  network inside_nw object

  subnet 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access deny ip any any newspaper

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT dynamic interface of net-all source (indoor, outdoor)

  NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

  NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

  !

  network vpn_local object

  dynamic NAT interface (outdoors, outdoor)

  network inside_nw object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication enable LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

  transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

  Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

  card crypto 20-isakmp ipsec vpn Dynamics dyno

  vpn outside crypto map interface

  Crypto isakmp nat-traversal 3600

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  management-access inside

  dhcpd address 192.168.1.5 - 192.168.1.132 inside

  dhcpd dns 75.75.75.75 76.76.76.76 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal sales_policy group policy

  attributes of the strategy of group sales_policy

  Server DNS 75.75.75.75 value 76.76.76.76

  Protocol-tunnel-VPN l2tp ipsec

  user name-

  user name-

  attributes global-tunnel-group DefaultRAGroup

  address sales_addresses pool

  Group Policy - by default-sales_policy

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

  : end

  Thanks for your help.

  You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  --

  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Cisco ASA 5505 remote VPN access to the local network

  I have installed two ASA 5505 VPN site to site that works perfectly.  Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer.  I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network.  can someone take a look and see what I'm missing?  I have attached the ASA running config.

  Apologize for the misunderstanding.

  To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.

  Please please share the following ACL:

  FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224

  TO:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all

  Hope that helps.

• Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

  I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

  The config below has had IPs/passwords has changed.

  External Datacenter: 1.1.1.4

  External office: 1.1.1.1

  Internal data center: 10.5.0.1/24

  Internal office: 10.10.0.1/24

  : Saved
  :
  ASA Version 8.2 (1)
  !
  hostname datacenterfirewall
  mydomain.tld domain name
  activate the password encrypted
  passwd encrypted
  names of
  name 10.10.0.0 OfficeNetwork
  10.5.0.0 DatacenterNetwork name
  !
  interface Vlan1
  nameif inside
  security-level 100
  10.5.0.1 IP address 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  1.1.1.4 IP address 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  passive FTP mode
  clock timezone IS - 5
  clock to summer time EDT recurring
  DNS server-group DefaultDNS
  buydomains.com domain name
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  inside_access_in list extended access permit icmp any one
  inside_access_in list extended access permitted tcp a whole
  inside_access_in list extended access udp allowed a whole
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  outside_access_in list extended access udp allowed any any eq isakmp
  IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
  IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
  pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
  outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
  outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
  outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  IP verify reverse path to the outside interface
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 623.bin
  don't allow no asdm history
  ARP timeout 14400
  NAT-control
  Global 1 interface (outside)
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
  Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 10.5.0.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
  Crypto dynamic-map ciscopix 1 transform-set walthamoffice
  Crypto dynamic-map ciscopix 1 the value reverse-road
  map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
  dynmaptosw interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP policy 13
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  lifetime 28800
  crypto ISAKMP policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.5.0.0 255.255.255.0 inside
  Telnet timeout 5
  SSH 10.5.0.0 255.255.255.0 inside
  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd address 10.5.0.2 - 10.5.0.254 inside
  dhcpd allow inside
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP server 66.250.45.2 source outdoors
  NTP server 72.18.205.157 source outdoors
  NTP server 208.53.158.34 source outdoors
  WebVPN
  attributes of Group Policy DfltGrpPolicy
  VPN-idle-timeout no
  username admin password encrypted
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key *.
  !
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  !
  context of prompt hostname
  Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
  : end

  Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

  Add the statement of rule sheep in asa and try again.

  NAT (inside) 0-list of access pixtosw

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

  Concerning

• Cisco ASA 5505 site for multiple subnet of the site.

  Hello. I need help to configure my cisco asa 5505.

  I set up a VPN between two ASA 5505 tunnel

  Site 1:

  Subnet 192.168.77.0

  Site 2:

  Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

  What I need help:

  Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

  And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

  Vlan480 is used for phones. In vlan480, we have a PABX.

  Is this possible to do?

  Any help would be much appreciated!

  Config site 2:

  : Saved

  :

  ASA Version 7.2 (2)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  names of

  name 192.168.1.250 DomeneServer

  name of 192.168.1.10 NotesServer

  name 192.168.1.90 Steadyily

  name 192.168.1.97 TerminalServer

  name 192.168.1.98 eyeshare w8

  name 192.168.50.10 w8-print

  name 192.168.1.94 w8 - app

  name 192.168.1.89 FonnaFlyMedia

  !

  interface Vlan1

  nameif Vlan1

  security-level 100

  IP 192.168.200.100 255.255.255.0

  OSPF cost 10

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 79.x.x.226 255.255.255.224

  OSPF cost 10

  !

  interface Vlan400

  nameif vlan400

  security-level 100

  IP 192.168.1.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan450

  nameif Vlan450

  security-level 100

  IP 192.168.210.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan460

  nameif Vlan460-SuldalHotell

  security-level 100

  IP 192.168.2.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan461

  nameif Vlan461-SuldalHotellGjest

  security-level 100

  address 192.168.3.1 IP 255.255.255.0

  OSPF cost 10

  !

  interface Vlan462

  Vlan462-Suldalsposten nameif

  security-level 100

  192.168.4.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan470

  nameif vlan470-Kyrkjekontoret

  security-level 100

  IP 192.168.202.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan480

  nameif vlan480 Telefoni

  security-level 100

  address 192.168.20.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan490

  nameif Vlan490-QNapBackup

  security-level 100

  IP 192.168.10.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan500

  nameif Vlan500-HellandBadlands

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan510

  Vlan510-IsTak nameif

  security-level 100

  192.168.40.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan600

  nameif Vlan600-SafeQ

  security-level 100

  192.168.50.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 500

  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

  switchport mode trunk

  !

  interface Ethernet0/3

  switchport access vlan 490

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passwd encrypted x

  passive FTP mode

  clock timezone WAT 1

  DNS server-group DefaultDNS

  domain default.domain.invalid

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  Lotus_Notes_Utgaaande tcp service object-group

  UT og Frim Notes Description til alle

  area of port-object eq

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ pptp Port object

  EQ smtp port object

  Lotus_Notes_inn tcp service object-group

  Description of the inn og alle til Notes

  port-object eq www

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ smtp port object

  object-group service Reisebyraa tcp - udp

  3702 3702 object-port Beach

  5500 5500 object-port Beach

  range of object-port 9876 9876

  object-group service Remote_Desktop tcp - udp

  Description Tilgang til Remote Desktop

  3389 3389 port-object range

  object-group service Sand_Servicenter_50000 tcp - udp

  Description program tilgang til sand service AS

  object-port range 50000 50000

  VNC_Remote_Admin tcp service object-group

  Description Fra ¥ oss til alle

  5900 5900 port-object range

  object-group service Printer_Accept tcp - udp

  9100 9100 port-object range

  port-object eq echo

  ICMP-type of object-group Echo_Ping

  echo ICMP-object

  response to echo ICMP-object

  object-group service Print tcp

  9100 9100 port-object range

  FTP_NADA tcp service object-group

  Suldalsposten NADA tilgang description

  port-object eq ftp

  port-object eq ftp - data

  Telefonsentral tcp service object-group

  Hoftun description

  port-object eq ftp

  port-object eq ftp - data

  port-object eq www

  EQ object of the https port

  port-object eq telnet

  Printer_inn_800 tcp service object-group

  Fra 800 thought-out og inn til 400 port 7777 description

  range of object-port 7777 7777

  Suldalsposten tcp service object-group

  Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

  EQ Port pop3 object

  EQ smtp port object

  http2 tcp service object-group

  Beach of port-object 81 81

  object-group service DMZ_FTP_PASSIVE tcp - udp

  55536 56559 object-port Beach

  object-group service DMZ_FTP tcp - udp

  20 21 object-port Beach

  object-group service DMZ_HTTPS tcp - udp

  Beach of port-object 443 443

  object-group service DMZ_HTTP tcp - udp

  8080 8080 port-object range

  DNS_Query tcp service object-group

  of domain object from the beach

  object-group service DUETT_SQL_PORT tcp - udp

  Description for a mellom andre og duett Server nett

  54659 54659 object-port Beach

  outside_access_in of access allowed any ip an extended list

  outside_access_out of access allowed any ip an extended list

  vlan400_access_in list extended access deny ip any host 149.20.56.34

  vlan400_access_in list extended access deny ip any host 149.20.56.32

  vlan400_access_in of access allowed any ip an extended list

  Vlan450_access_in list extended access deny ip any host 149.20.56.34

  Vlan450_access_in list extended access deny ip any host 149.20.56.32

  Vlan450_access_in of access allowed any ip an extended list

  Vlan460_access_in list extended access deny ip any host 149.20.56.34

  Vlan460_access_in list extended access deny ip any host 149.20.56.32

  Vlan460_access_in of access allowed any ip an extended list

  vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

  vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

  vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

  Vlan500_access_in list extended access deny ip any host 149.20.56.34

  Vlan500_access_in list extended access deny ip any host 149.20.56.32

  Vlan500_access_in of access allowed any ip an extended list

  vlan470_access_in list extended access deny ip any host 149.20.56.34

  vlan470_access_in list extended access deny ip any host 149.20.56.32

  vlan470_access_in of access allowed any ip an extended list

  Vlan490_access_in list extended access deny ip any host 149.20.56.34

  Vlan490_access_in list extended access deny ip any host 149.20.56.32

  Vlan490_access_in of access allowed any ip an extended list

  Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan1_access_out of access allowed any ip an extended list

  Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan1_access_out deny ip extended access list a whole

  Vlan1_access_out list extended access permit icmp any any echo response

  Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

  Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

  Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan480_access_out of access allowed any ip an extended list

  Vlan510_access_in of access allowed any ip an extended list

  Vlan600_access_in of access allowed any ip an extended list

  Vlan600_access_out list extended access permit icmp any one

  Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_in_1 of access allowed any ip an extended list

  Vlan461_access_in of access allowed any ip an extended list

  Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

  pager lines 24

  Enable logging

  asdm of logging of information

  MTU 1500 Vlan1

  Outside 1500 MTU

  vlan400 MTU 1500

  MTU 1500 Vlan450

  MTU 1500 Vlan460-SuldalHotell

  MTU 1500 Vlan461-SuldalHotellGjest

  vlan470-Kyrkjekontoret MTU 1500

  MTU 1500 vlan480-Telefoni

  MTU 1500 Vlan490-QNapBackup

  MTU 1500 Vlan500-HellandBadlands

  MTU 1500 Vlan510-IsTak

  MTU 1500 Vlan600-SafeQ

  MTU 1500 Vlan462-Suldalsposten

  no failover

  Monitor-interface Vlan1

  interface of the monitor to the outside

  the interface of the monitor vlan400

  the interface of the monitor Vlan450

  the interface of the Vlan460-SuldalHotell monitor

  the interface of the Vlan461-SuldalHotellGjest monitor

  the interface of the vlan470-Kyrkjekontoret monitor

  Monitor-interface vlan480-Telefoni

  the interface of the Vlan490-QNapBackup monitor

  the interface of the Vlan500-HellandBadlands monitor

  Monitor-interface Vlan510-IsTak

  Monitor-interface Vlan600-SafeQ

  the interface of the monitor Vlan462-Suldalsposten

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  vlan400_nat0_outbound (vlan400) NAT 0 access list

  NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

  NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

  NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

  NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

  NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

  NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

  NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

  static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

  static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

  static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

  static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

  static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

  static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

  static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

  static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

  static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

  static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

  (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

  static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

  static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

  Access-group interface Vlan1 Vlan1_access_out

  Access-group outside_access_in in interface outside

  Access-group outside_access_out outside interface

  Access-group vlan400_access_in in the vlan400 interface

  vlan400_access_out group access to the interface vlan400

  Access-group Vlan450_access_in in the Vlan450 interface

  Access-group interface Vlan450 Vlan450_access_out

  Access-group interface Vlan460-SuldalHotell Vlan460_access_in

  Access-group interface Vlan460-SuldalHotell Vlan460_access_out

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

  Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

  vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

  access to the interface vlan480-Telefoni, vlan480_access_out group

  Access-group interface Vlan490-QNapBackup Vlan490_access_in

  Access-group interface Vlan490-QNapBackup Vlan490_access_out

  Access-group interface Vlan500-HellandBadlands Vlan500_access_in

  Access-group interface Vlan500-HellandBadlands Vlan500_access_out

  Access-group interface Vlan510-IsTak Vlan510_access_in

  Access-group interface Vlan510-IsTak Vlan510_access_out

  Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

  Access-group Vlan600_access_out interface Vlan600-SafeQ

  Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

  Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

  Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  x x encrypted privilege 15 password username

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.210.0 255.255.255.0 Vlan450

  http 192.168.200.0 255.255.255.0 Vlan1

  http 192.168.1.0 255.255.255.0 vlan400

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 20 match address outside_20_cryptomap_1

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 62.92.159.137

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  ISAKMP crypto enable vlan400

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 62.92.159.137 type ipsec-l2l

  IPSec-attributes tunnel-group 62.92.159.137

  pre-shared-key *.

  Telnet 192.168.200.0 255.255.255.0 Vlan1

  Telnet 192.168.1.0 255.255.255.0 vlan400

  Telnet timeout 5

  SSH 171.68.225.216 255.255.255.255 outside

  SSH timeout 5

  Console timeout 0

  dhcpd update dns both

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

  !

  dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

  dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

  dhcpd option 3 ip 192.168.1.1 interface vlan400

  vlan400 enable dhcpd

  !

  dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

  dhcpd ip interface 192.168.210.1 option 3 Vlan450

  enable Vlan450 dhcpd

  !

  dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

  dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

  dhcpd enable Vlan460-SuldalHotell

  !

  dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

  dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

  dhcpd enable Vlan461-SuldalHotellGjest

  !

  dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

  interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

  dhcpd enable vlan470-Kyrkjekontoret

  !

  dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

  !

  dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

  dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

  !

  dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

  dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

  dhcpd enable Vlan500-HellandBadlands

  !

  dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

  dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

  Vlan510-IsTak enable dhcpd

  !

  dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

  Vlan600-SafeQ enable dhcpd

  !

  dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

  interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

  interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

  Vlan462-Suldalsposten enable dhcpd

  !

  !

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  !

  context of prompt hostname

  Cryptochecksum:x

  : end

  Site 1 config:

  : Saved

  :

  ASA Version 7.2 (4)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  passwd encrypted x

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.77.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE Telenor customer vpdn group

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 15

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain default.domain.invalid

  outside_access_in list extended access permit icmp any any disable log echo-reply

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  Enable http server

  http 192.168.77.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 79.160.252.226

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.77.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group Telenor request dialout pppoe

  VPDN group Telenor localname x

  VPDN group Telenor ppp authentication chap

  VPDN x x local store password username

  dhcpd outside auto_config

  !

  dhcpd address 192.168.77.100 - 192.168.77.130 inside

  dhcpd dns 192.168.77.1 on the inside interface

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

  dhcpd allow inside

  !

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

  !

  tunnel-group 79.160.252.226 type ipsec-l2l

  IPSec-attributes tunnel-group 79.160.252.226

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:x

  : end

  Hello

  The addition of a new network to the existing VPN L2L should be a fairly simple process.

  Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

  Looking at your configurations above it would appear that you need to the following configurations

  SITE 1

  • We add the new network at the same time the crypto ACL and ACL NAT0

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

  SITE 2

  • We add new ACL crypto network
  • We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration

  outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  Comment by VLAN480-NAT0 NAT0 for VPN access-list

  access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

  These configurations should pretty much do the trick.

  Let me know if it worked

  -Jouni

• Cisco asa 5505 and centos VPN server connection

  Hi all

  Please I want to set up a VPN between Cisco asa 5505 and centos server.

  Here's my senerio

  -------------------------

  ASA 5505

  Public IP 155.155.155.2

  Local NETWORK: 192.168.6.X

  CentOS Server

  ------------------

  Public ip address: 155.155.155.6

  Thank you guys

  Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

  If the remote access, here are the sample configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

• CISCO ASA 5505 no cisco VPN Client

  Hello

  I'm looking for after a firewall Cisco ASA 5505 and want to watch all the owners of it with remote access in but none of us have a support contract with Cisco.

  Is it possible to set up a VPN client not as Microsoft built the client to connect to the ASA?

  Thank you

  Alamb200

  Hello

  Looking for a PPTP on ASA connection?

  The following document provides the following:

  ASA q support PPTP client?

  A. number of the

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#supportfeat

  But we can configure ASA to allow the PPTP connection:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your request is answered. Note the useful messages.

• Cisco Asa 5505 and level 3 with remote access VPN switch

  Today I had a new CISCO LAYER 3 switch... So here's my scenrio

  Cisco Asa 5505

  I have

  Outside of the == 155.155.155.x

  Inside = 192.168.7.1

  Address POOL VPN = 10.10.10.1 - 10.10.10.20

  3 layer switch configuration

  VLAN 2

  ip address of the interface = 192.168.1.1

  VLAN 2

  ip address of the interface = 192.168.2.1

  VLAN 2

  ip address of 192.168.3.1 = interface

  VLAN 2

  ip address of the interface = 192.168.4.1

  VLAN 2

  ip address of the interface = 192.168.5.1

  IP Routing

  So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

  Thanks to you all

  Al ready has responded

  Sent by Cisco Support technique iPad App

• ASA 5505 VPN Ping problems

  Hi all

  First of all, I apologize if this is something that I can google. My knowledge of the administration of the network is all self-taught, so if there is a guide that I missed please point me in the right direction, it is often difficult to Google the terms for troubleshooting when your jargon is not the height.

  The main problem is that when ping devices internal when you are connected to the results are very inconsistent.

  Ping 192.168.15.102 with 32 bytes of data:

  Reply from 192.168.15.102: bytes = 32 time = 112ms TTL = 128

  Request timed out.

  Request timed out.

  Request timed out.

  We have implemented an IPSec VPN connection to a remote Cisco ASA 5505. There is no connection problems, connection seems constant, etc. good packages. At this stage, I can only assume I have configuration problems, but I was watching this while if long and pair with my inexperience configuration of these settings I have no idea where to start. My first impressions are that LAN devices I'm ping do not send their response back or the ASA does not know how to route packets back?

  Here is a dump of the configuration:

  Output of the command: "show config".

  : Saved

  : Written by enable_15 to the 12:40:06.114 CDT MON Sep 9 2013

  !

  ASA Version 8.2 (5)

  !

  hostname VPN_Test

  activate the encrypted password of D37rIydCZ/bnf1uj

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  192.168.15.0 - internal network name

  DDNS update method DDNS_Update

  DDNS both

  maximum interval 0 4 0 0

  !

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  Description VLAN internal guests

  nameif inside

  security-level 100

  DDNS update hostname 0.0.0.0

  DDNS update DDNS_Update

  DHCP client updated dns server time

  192.168.15.1 IP address 255.255.255.0

  !

  interface Vlan2

  Description of VLAN external to the internet

  nameif outside

  security-level 0

  address IP xx.xx.xx.xx 255.255.255.248

  !

  passive FTP mode

  clock timezone CST - 6

  clock to summer time recurring CDT

  DNS server-group DefaultDNS

  Server name 216.221.96.37

  Name-Server 8.8.8.8

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  outside_access_in list extended access permit icmp any one

  outside_access_in list extended access deny interface icmp outside interface inside

  access extensive list ip 192.168.15.192 outside_access_in allow 255.255.255.192 all

  Remote_splitTunnelAcl list standard allowed internal-network access 255.255.255.0

  inside_nat0_outbound list extended access allowed internal-network ip, 255.255.255.0 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_access_in allow 255.255.255.192 all

  Note to inside_access_in to access list blocking Internet traffic

  inside_access_in extended access list allow interface ip inside the interface inside

  inside_access_in list of allowed ip extended access all 192.168.15.192 255.255.255.192

  Note to inside_access_in to access list blocking Internet traffic

  access extensive list ip 192.168.15.192 inside_nat0_outbound_1 allow 255.255.255.192 all

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.15.200 - 192.168.15.250 255.255.255.0 IP local pool VPN_IP_Pool

  inside_access_ipv6_in list of access allowed IPv6 interface ip inside the interface inside

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow any response of echo outdoors

  ICMP allow all outside

  don't allow no asdm history

  ARP timeout 14400

  NAT-control

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  inside_access_ipv6_in access to the interface inside group

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  255.255.255.0 inside internal network http

  http yy.yy.yy.yy 255.255.255.255 outside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Sysopt connection timewait

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  management-access inside

  dhcpd outside auto_config

  !

  dhcpd address 192.168.15.200 - 192.168.15.250 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  NTP server 192.168.15.101 source inside

  prefer NTP server 192.168.15.100 source inside

  WebVPN

  internal remote group strategy

  Group remote attributes policy

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list Remote_splitTunnelAcl

  username StockUser encrypted password privilege 0 t6a0Nv8HUfWtUdKz

  username StockUser attributes

  Strategy-Group-VPN remote

  tunnel-group type remote access remotely

  tunnel-group remote General attributes

  address pool VPN_IP_Pool

  Group Policy - by default-remote control

  tunnel-group remote ipsec-attributes

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:f4271785b86e45dd3a17bab8f60cd2f3

  Hi Graham,

  My first question is do you have a site to site VPN and VPN remote access client.

  After checking your configuration, I see you don't have any Site to SIte VPN configuration, so I'm assuming you ara facing issue with the VPN client.

  And if I understand you are able to connect VPN client, but you not able to access internal resources properly.

  I recommend tey and make the following changes.

  First remove the following configuration:

  NAT (inside) 0 inside_nat0_outbound_1 list of outdoor access

  NAT (inside) 1 192.168.15.192 255.255.255.192

  You don't need the 1st one and I do not understand the reason for the second

  Second, one is your pool IP subnet (192.168.15.200 - 192.168.15.250) and I don't know why you added this NAT.

  If possible change your subnet pool all together because we do not recommend to use th ip POOL that is similar to your local network.

  Try the changes described above and let me know in case if you have any problem.

  Thank you

  Jeet Kumar

• Failover on Cisco ASA 5505 with EasyVPN

  Hello

  I've implemented a customer EasyVPN with a Cisco ASA 5505 and I am trying to configure the failover but I get this message:

  "Failover cannot be configured as Cisco Easy VPN remote is activated."

  However, I have seen in the link below, this dynamic rollover is compatible with the easy standard (and not with improved but I don't think I use easyVPN improved).

  http://www.Cisco.com/c/en/us/products/collateral/security/iOS-easy-VPN/e...

  The configuration I did through ASDM is very simple:

  vpnclient server * * *.
  vpnclient-mode client mode
  vpngroup vpnclient * password *.
  vpnclient username * password *.
  vpnclient enable

  My question is how can I implement failover with a client on a Cisco ASA 5505 EasyVPN?

  Thanks in advance

  You cannot configure the failover of a device that acts as a client

• Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

  n00b questions.

  I have to renew my SSL certificate of identity soon on my Cisco ASA 5505.  I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

  Hi dsartoros,

  If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

  If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• ASA 5505 VPN sessions maximum 25?

  Hello friend´s

  The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:

  Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?

  Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?

  I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?

  Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.

  Kind regards!

  Hi Alex,

  The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.

  To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.

  Find the official documentation for the ASA5505 on the following link:

  http://www.Cisco.com/c/en/us/products/collateral/security/ASA-5500-series-next-generation-firewalls/datasheet-C78-733510.html

  Rate if helps.

  -Randy-