Cisco ASA Anyconnect LAN access problem

Similar Questions

• Cisco ASA - Anyconnect VPN - DAP to restrict access

  Hello

  I havn't any way proven or description if this is possible with the asa. I'm trying to find a solution were based on the users of Active Directory groups are only in the use of VPN.

  I wannt all "AllVPNUsers" users are able to connect and can only access a server in-house.

  If a user is in the group "AllDevelopers-VPN" they should be able to access all the servers in a specified subnet

  If a user is in the "AllDevOps" group they should not have any restrictions.

  is it possible with one asa 5512-X?

  Best regards

  Daniel

  Hi Daniel,.

  You can use mapping of LDAP attributes where one ad group can be mapped to a group policy which will give access to specific networks.
  Here is a document that you can reference. Please do not hesitate to share if there is no problem.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Cisco ASA AnyConnect SSL VPN - certificates + token?

  Hello

  I'm looking for an answer is it possible such configuration:

  The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

  I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

  Thank you very much for the help!

  Hi Alex,

  I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

  https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

  Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

  It may be useful

  -Randy-

• Cisco asa anyconnect vpn client mode issue

  Hi team,

  I get my users anyconnect vpn connection failures very frequently and it that comesup.

  Can you please check see the version attached and explain, if I run with licenses right into place.

  concerning

  SecIT

  Hello

  You've got license for 250 users anyconnect so unless you are having more users than this number, it shouldn't be a problem. Debugs could help reduce the problem in this case.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Issue of Cisco AnyConnect VPN access

  We have configured a Cisco ASA 5505 with access AnyConnect.  It works very well.  However, these users can't ping on the private network devices.  We have configured all devices on the network with an address 10.10.10.0/24 space.  The inside interface of the ASA I 10.10.10.1/24 and the VPN return addresses are 10.10.10.50 - 10.10.10.65/24.

  They users can use SSH and Oracle or MySQL calls but can't ping.   Obviously, I'm looking for something.

  Thank you.

  Dwane

  Hi Sylvie,.

  Most likely, your ASA missing no. - nat between inside the interface and remote vpn-pool address range.

  Quick Trobule shooting, thanks for posting your config and do not forget to remove the config security information.

  What version of your ASA?

  Thank you

  Rizwan James

• Filter the SSH access to Cisco ASA from the Internet

  Hello

  I have ASA 5520 with 'inside' in local network interface and the interface 'outside' in the face of the internet.

  There are line ssh 192.168.0.0 255.255.0.0 inside for the ASA to LAN access. And deny a rule for incoming traffic on the 'outside' interface.

  I see a lot of refuse the connection from different addresses to 'outside' interface on the ASA in syslog. When I scan external interface with nmap to port tcp/22 internet is marked as closed. Are there opportunities to make filtered?

  Syslog entries are just one indicator of the SAA does its job to block the script kiddies to penetrate your firewall. I see them all the time on Internet-facing firewall when the logging level is set high enough and it's explicit deny on the inbound access list (/ the implicit deny any one who will be outside).

  You can either lower the recording level (4 is recommended), filter this message or pass to a level that is lower than your level on a daily basis, then it disappears as a recurring message that requires no action.

• Remote access VPN Cisco ASA

  Hello!

  I have 9.1 (3) version of Cisco ASA with remote access VPN set UP on the outside interface. When the user connects to the Internet on the outside interface, it works well. My goal is to allow the connection of all other interfaces (inside the dmz and etc.) to the outside interface. Cisco ASA allows to do? Order to packet - trace output is less to:

  MSK-hq-fw1 # packet - trace entry inside tcp 10.10.10.1 14214 1.1.1.2 443

  Phase: 1

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Phase: 2

  Type:-ROUTE SEARCH

  Subtype: entry

  Result: ALLOW

  Config:

  Additional information:

  developed 1.1.1.2 255.255.255.255 identity

  Result:

  input interface: inside

  entry status: to the top

  entry-line-status: to the top

  the output interface: NP identity Ifc

  the status of the output: to the top

  output-line-status: to the top

  Action: drop

  Drop-reason: (headwall) No. road to host

  Hello

  Well, you can of course turn VPN on other interfaces, but to be honest, I never even tried to set up the VPN it otherwise than of multiple multiple external interfaces in the case of the ISP and in this case only for testing purposes.

  Some things related to the ASA are well known but not well documented.

  The official document that I can remember: this is the following (which only refers to this limitation regarding the ICMP)

  Note 
  For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.
  

  Source (old configuration guide):

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa71/configuration/guide/conf_gd/trouble.html#wp1059645

  -Jouni

• Cisco Asa 5505

  Currently I have a cisco asa 5505 y tengo problemas debido that put users no will can connect, cisco don't me you can antender porque mi garantia expired, habra dd can help me Porfavor quien contrato.

  Gracias Desde are

  Claro [email protected] / * /

• After Anyconnect I can't access to asa and LAN

  Dear all,

  My office use ASA 5505 and I use anyconnect from outside (sometimes overseas), I can connect to my network and business by ASA, internet access, but I can't access ASA and LAN (network of my client). WHY?

  Office 192.168.10.0/24

  192.168.11.0/24 VPN

  How can I solve this problem?

  ASA Version 9.2 (3)
  !
  ciscoasa hostname
  activate the encrypted password of XXXXXXXXXX
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd encrypted XXXXXXXXXX
  names of
  192.168.11.1 mask - 192.168.11.10 local pool Pool VPN IP 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP address 192.168.10.254 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  address IP AAA. BBB. CCC DDD EEE. FFF. GGG. HHH
  !
  boot system Disk0: / asa923 - k8.bin
  passive FTP mode
  clock timezone 8 HKST
  DNS domain-lookup outside
  DNS server-group DefaultDNS
  Name-Server 8.8.8.8
  Server name 8.8.4.4
  permit same-security-traffic intra-interface
  network of the VPN_Pool object
  subnet 192.168.11.0 255.255.255.240
  network of the NETWORK_OBJ_192.168.10.0_24 object
  192.168.10.0 subnet 255.255.255.0
  inside_access_in of access allowed any ip an extended list
  outside_access_in list extended access permit icmp any one
  DefaultRAGroup_splitTunnelAcl_1 list standard access allowed 192.168.10.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm-731 - 101.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  interface NAT (outside, outside) dynamic source VPN_Pool
  NAT (inside, outside) static source any any static destination VPN_Pool VPN_Pool non-proxy-arp-search to itinerary
  !
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  inside_access_in access to the interface inside group
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 AAA. BBB. CCC DDD. 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  Activate Server http XXXXX
  http 192.168.10.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA SHA-ESP-3DES ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-ESP ESP-3DES-SHA-TRANS TRANS-DES-SHA-TRANS
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  outside_map interface card crypto outside
  Crypto ca trustpoint ASDM_TrustPoint0
  Terminal registration
  name of the object CN = ciscoasa
  Configure CRL
  Crypto ca trustpoint Anyconnect_Self_Signed_Cert
  registration auto
  name of the object CN = ciscoasa
  Configure CRL
  Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
  registration auto
  name of the object CN = 115.160.145.114, CN = ciscoasa
  Configure CRL
  trustpool crypto ca policy
  string encryption ca Anyconnect_Self_Signed_Cert certificates
  certificate 5c7d4156
  308202d 4 308201bc a0030201 0202045c 415630 0d06092a 864886f7 0d 010105 7 d
  0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a 8648
  09021608 63697363 6f617361 31353131 31303131 31363231 301e170d 86f70d01
  5a170d32 35313130 37313131 3632315a 302 c 3111 55040313 08636973 300f0603
  636f6173 61311730 1506092a 864886f7 0d 010902 16086369 73636f61 73613082
  0122300d 06092 has 86 01010105 00038201 0f003082 010a 0282 010100cc 4886f70d
  af43a895 8c2c3f49 ad16c4b9 a855b47b 773f4245 1954c 728 7 c 568245 6ddc02ab
  78 c 45473 eb4073f6 401d1dca 050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa
  454ff4bb 691235ab 34e21d98 4cfecef4 204e9c95 76b1b417 b5cf746c 830788b 4
  60063e89 0ffe5381 42694cf8 d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67
  4ad8954f 5392790b 4ded225c c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a
  d054a290 14316cc0 1670bdea f04c828b 7f9483fb 409fa707 fbe5a257 33597fed
  ca790881 b1d4d3dc b0e1095e bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1
  8b9421fa ee2b99ae df07fba1 0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02
  03010001 300 d 0609 2a 864886 05050003 82010100 c8719770 1305bd9c f70d0101
  2608f039 0dc6b058 0dfe3d88 76793 has 18 8f601dda b 8553, 893 d95e3b25 30ef7354
  772f7d0b 772869d 7 372f8f5c f32992af fa2c8b6e 0f0ae4ce 4e068b8d b7916af2
  affa1953 5bfd01a6 1a3c147d 75d95d8c 1122fa85 3905f27b 2474aff4 11fff24f
  c305b648 b4c9d8d4 9dcf444b 9326cda3 0c4635d0 90ff8dd8 9444726c 82e002ec
  be120937 0414c20a 39df72fb 76cd9c38 cde9afda 019e9230 66e5dba8 ed208eae
  5faabb85 ff04f8f2 c36b724b 62ec52cc f967ee1d 1a6458fc 507a 2377 45 c 20635
  2c14c431 baac678a dcc20329 4db7aa51 02c 36904 75b5f307 f1cc056d 726bc436
  597a 3814 4ccd421d cb77d8f5 46a8ae69 2d617ac8 2160d7af
  quit smoking
  string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
  certificate 5d7d4156
  308201f0 30820308 a0030201 0202045d 415630 0d06092a 864886f7 0d 010105 7 d
  05003046 06035504 03130863 61736131 18301606 03550403 6973636f 3111300f
  130f3131 352e3136 302e3134 352e3131 1506092a 34311730 864886f7 0d 010902
  73636f61 16086369 7361301e 170d 0d 323531 3135 31313130 31323136 35395a 17
  3111300f 06035504 03130863 6973636f 61736131 a 31303731 32313635 395, 3046
  18301606 03550403 130f3131 352e3136 302e3134 352e3131 1506092's 34311730
  864886f7 0d 010902 16086369 73636f61 73613082 0122300d 06092 has 86 4886f70d
  01010105 00038201 0f003082 010 has 0282 010100cc af43a895 8c2c3f49 ad16c4b9
  a855b47b 773f4245 1954c 728 7 c 78 45473 eb4073f6 401d1dca 568245 6ddc02ab
  050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa 454ff4bb 691235ab 34e21d98
  b 830788 4 4cfecef4 204e9c95 76b1b417 b5cf746c 60063e89 0ffe5381 42694cf8
  d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67 4ad8954f 5392790b 4ded225c
  c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a d054a290 14316cc0 1670bdea
  f04c828b 7f9483fb 409fa707 fbe5a257 33597fed ca790881 b1d4d3dc b0e1095e
  bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1 8b9421fa ee2b99ae df07fba1
  0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02 03010001 300 d 0609 2a 864886
  05050003 82010100 00089cd 3 d0f65c5e 91f7ee15 bbd98446 35639ef9 f70d0101
  45b 64956 f146234c 472b52e6 f2647ced a109cb6b 52bf5f5d 92471cb7 a3a30b63
  052ac212 c6027535 16e42908 ea37c39a 4d203be9 8c4ed8cd 40935057 3fe8a537
  a837c75c feff4dcc 1b2fd276 257f0b46 8fcd2a5c cbdcacec cd14ee46 be136ae7
  7cd4ae0d aace54fe 5187ea57 40d2af87 cded3085 27d6f5d8 1c15ef98 f95cc90e
  a 485049 4 805efa8f 63406609 a663db53 06b94e53 07c1c808 61eadcdb 2c952bee
  74a0b3dd ae262d84 40b85ec5 a89179b2 7e41648e 93f0e419 3c482b29 e482d344
  d756d450 8f0d9302 d023ac43 a31469a4 105c8a0c b1418907 693c558c 08f499ef
  364bc8ba 4543297a a17735a0
  quit smoking
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 activate out of service the customer port 443
  Crypto ikev2 access remote trustpoint Anyconnect_Self_Signed_Cert
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  No ipv6-vpn-addr-assign aaa
  no local ipv6-vpn-addr-assign

  dhcpd 192.168.10.254 dns 8.8.8.8
  dhcpd rental 43200
  !
  dhcpd address 192.168.10.1 - 192.168.10.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  NTP AAA server. BBB. CCC. Source DDD outside prefer
  SSL-point of approval ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
  SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
  WebVPN
  allow outside
  AnyConnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
  AnyConnect profiles Anyconnect_client_profile disk0: / Anyconnect_client_profile.xml
  AnyConnect enable
  tunnel-group-list activate
  internal DefaultRAGroup_2 group strategy
  attributes of Group Policy DefaultRAGroup_2
  DNS-server AAA value. BBB. CCC AAA DDD. BBB. CCC DDD.
  Ikev2 VPN-tunnel-Protocol
  Split-tunnel-policy tunnelspecified
  internal GroupPolicy_Anyconnect group strategy
  attributes of Group Policy GroupPolicy_Anyconnect
  WINS server no
  value of server DNS 8.8.8.8 8.8.4.4
  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
  Split-tunnel-policy tunnelall
  IPv6-split-tunnel-policy excludespecified
  value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl_1
  by default no
  activate dns split-tunnel-all
  IPv6 address pools no
  WebVPN
  AnyConnect value Anyconnect_client_profile type user profiles
  username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
  username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
  attributes of username XXXXXXX
  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
  attributes global-tunnel-group DefaultRAGroup
  address pool VPN-pool
  Group Policy - by default-DefaultRAGroup_2
  IPSec-attributes tunnel-group DefaultRAGroup
  IKEv1 pre-shared key XXXXXXXXX
  tunnel-group DefaultRAGroup ppp-attributes
  ms-chap-v2 authentication
  tunnel-group Anyconnect type remote access
  tunnel-group Anyconnect General attributes
  address pool VPN-pool
  Group Policy - by default-GroupPolicy_Anyconnect
  NAT - to-public-ip assigned inside
  tunnel-group Anyconnect webvpn-attributes
  enable Anyconnect group-alias
  tunnel-group Anyconnect ppp-attributes
  ms-chap-v2 authentication
  !
  Global class-card class
  match default-inspection-traffic
  !
  !
  World-Policy policy-map
  Global category
  inspect the dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the netbios
  inspect the tftp
  Review the ip options
  !
  service-policy-international policy global
  context of prompt hostname
  no remote anonymous reporting call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:24991680b66624113beb31d230c593bb
  : end

  Hi cwhlaw2009,

  You must configure a policy Split-tunnel, if you want to be able to access the internal and local network at the same time.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-AnyConnect-config.html

  It may be useful

  -Randy-

• Problem with the VPN site to site for the two cisco asa 5505

  Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

  Cisco Config asa1

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 172.xxx.xx.4 255.255.240.0
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.60.2 255.255.255.0
  !
  passive FTP mode
  network of the Lan_Outside object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
  network of the Lan_Outside object
  NAT (inside, outside) interface dynamic dns
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.60.0 255.255.255.0 inside
  http 96.xx.xx.222 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 96.88.75.222
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  inside access management

  dhcpd address 192.168.60.50 - 192.168.60.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_96.xx.xx.222 group strategy
  attributes of Group Policy GroupPolicy_96.xx.xx.222
  VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 96.xx.xx.222 type ipsec-l2l
  tunnel-group 96.xx.xx.222 General-attributes
  Group - default policy - GroupPolicy_96.xx.xx.222
  96.XX.XX.222 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error

  ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  Cisco ASA 2 config

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 96.xx.xx.222 255.255.255.248
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.1.254 255.255.255.0
  !
  passive FTP mode
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the Lan_Outside object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_4
  ip protocol object
  icmp protocol object
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
  !
  network of the Lan_Outside object
  dynamic NAT (all, outside) interface
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 172.xxx.xx.4 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 172.110.74.4
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_172.xxx.xx.4 group strategy
  attributes of Group Policy GroupPolicy_172.xxx.xx.4
  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 172.xxx.xx.4 type ipsec-l2l
  tunnel-group 172.xxx.xx.4 General-attributes
  Group - default policy - GroupPolicy_172.xxx.xx.4
  172.xxx.XX.4 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error
  inspect the http

  For IKEv2 configuration: (example config, you can change to encryption, group,...)

  -You must add the declaration of exemption nat (see previous answer).

  -set your encryption domain ACLs:

  access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

  -Set the Phase 1:

  Crypto ikev2 allow outside
  IKEv2 crypto policy 10
  3des encryption
  the sha md5 integrity
  Group 5
  FRP sha
  second life 86400

  -Set the Phase 2:

  Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
  Esp aes encryption protocol
  Esp integrity sha-1 protocol

  -set the Group of tunnel

  tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
  REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
  IKEv2 authentication remote pre-shared-key cisco123

  
  IKEv2 authentication local pre-shared-key cisco123

  -Define the encryption card

  address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
  card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
  card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
  CRYPTOMAP interface card crypto outside
  crypto isakmp identity address

  On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

  Thank you

• Cisco ASA, connect an IP address on the OUTSIDE of the VPN remote access

  Hello

  I tried to find resources on the net but could not find a solution, then post it here. Maybe someone can help.

  So the problem is that I'm trying to access a server on the cloud for remote VPN access (cisco asa 5510).

  The server on the cloud (54.54.54.54) is only accessible from the outside interface (192.168.11.2) NY Firewall (cisco asa 5510)

  I added some ACE for this in the ACL of VPN tunnel to divide.

  NY-standard host allowed fw # access - list vpn_remote-customer 54.54.54.54

  And I see the road added to my cliet machine after the VPN connection, but still it cannot connect to this server.

  The network INTERIOR, I can connect to the server.

  

  Thanks in advance.

  Hello

  This is most likely a problem with NAT hair/U-turn hairpin.

  Will need to see the configurations or you would need to check yourself

  I don't know what your version of the Software ASA is to be like who determines what is the format of NAT configuration.

  So far, you have confirmed that the ASA VPN configuration provides the VPN Client with the route to the remote server. Then in circulation should be tunnel to the ASA.

  Then, you will need to check the output of this command

  See the race same-security-traffic

  You should see the command in the output below

  permit same-security-traffic intra-interface

  If you do not, you will need to add it. This effect of controls is to allow traffic to enter an interface and exit through the same interface. In your case this applies to Internet VPN Client traffic to the remote server as it between ' outside ' and spell through the 'outside'.

  Then, should ensure that dynamic PAT is configured for the VPN Clients.

  8.2 software (and below)

  You most likely have a dynamic configuration PAT like that on the firewall, if levels of above running software version

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0

  In this situation if we wanted to add dynamic PAT for a pool of VPN, we would add

  NAT (outside) 1

  This would allow users to use the same public IP address as LAN users, when accessing the remote VPN server

  Software 8.3 (and above)

  Because the NAT configuration format is completely different in the latest software, you could probably just add a new configuration of NAT completely without adding a

  network of the VPN-PAT object

  subnet

  dynamic NAT interface (outdoors, outdoor)

  Of course, its possible that there could be some configuration NAT already on the device which could cause problems for this configuration. If this does not work then that we would have to look at the actual configurations on the ASA.

  Hope this helps

  Let me know how it goes

  -Jouni

• AnyConnect VPN and LAN access

  When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

  Right?

  After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

  Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

  Thank you

  Frank

  Hello

  Yes, by default, all traffic will be sent through the tunnel.

  If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

• Cisco ASA vpn site to site with access internet, error

  Hello

  I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
  Where would be the problem?

  There's config:

  ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
 domain-name lietuvosdujos.lt
object network LAN
 subnet 192.168.204.0 255.255.255.0
 description Local Area Network
object network LD_Lanai
 subnet 192.168.0.0 255.255.0.0
 description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
 key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
 vpn-filter value vpn
 vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
 default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip 
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]/* */
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end

  Two things are here according to you needs.

  First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.

  object network LAN
 subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN any

  Second, you have not an exempt statement NAT so that encrypted traffic should not be translated.  This statement would look like the following:
  the object of the LAN network
  192.168.204.0 subnet 255.255.255.0

  being REMOTE-LAN network
  255.255.255.0 subnet 192.168.100.0

  Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN

  --

  Please do not forget to choose a good response and the rate

• Cisco ASA 5515 - Anyconnect users can connect to ASA, but cannot ping inside the local IP address

  Hello!

  I have a 5515 ASA with the configuration below. I have configure the ASA as remote access with anyconnect VPN server, now my problem is that I can connect but I can not ping.

  ASA Version 9.1 (1)

  !

  ASA host name

  domain xxx.xx

  names of

  local pool VPN_CLIENT_POOL 192.168.12.1 - 192.168.12.254 255.255.255.0 IP mask

  !

  interface GigabitEthernet0/0

  nameif inside

  security-level 100

  192.168.11.1 IP address 255.255.255.0

  !

  interface GigabitEthernet0/1

  Description Interface_to_VPN

  nameif outside

  security-level 0

  IP 111.222.333.444 255.255.255.240

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/4

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface GigabitEthernet0/5

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  management only

  nameif management

  security-level 100

  192.168.5.1 IP address 255.255.255.0

  !

  passive FTP mode

  DNS server-group DefaultDNS

  www.ww domain name

  permit same-security-traffic intra-interface

  the object of the LAN network

  subnet 192.168.11.0 255.255.255.0

  LAN description

  network of the SSLVPN_POOL object

  255.255.255.0 subnet 192.168.12.0

  VPN_CLIENT_ACL list standard access allowed 192.168.11.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  management of MTU 1500

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 711.bin

  don't allow no asdm history

  ARP timeout 14400

  no permit-nonconnected arp

  NAT (exterior, Interior) static source SSLVPN_POOL SSLVPN_POOL static destination LAN LAN

  Route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  WebVPN

  list of URLS no

  identity of the user by default-domain LOCAL

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  LOCAL AAA authorization exec

  Enable http server

  http 192.168.5.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  Crypto ipsec pmtu aging infinite - the security association

  Crypto ca trustpoint ASDM_TrustPoint5

  Terminal registration

  E-mail [email protected] / * /

  name of the object CN = ASA

  address-IP 111.222.333.444

  Configure CRL

  Crypto ca trustpoint ASDM_TrustPoint6

  Terminal registration

  domain name full vpn.domain.com

  E-mail [email protected] / * /

  name of the object CN = vpn.domain.com

  address-IP 111.222.333.444

  pair of keys sslvpn

  Configure CRL

  trustpool crypto ca policy

  string encryption ca ASDM_TrustPoint6 certificates

  Telnet timeout 5

  SSH 192.168.11.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  No ipv6-vpn-addr-assign aaa

  no local ipv6-vpn-addr-assign

  192.168.5.2 management - dhcpd addresses 192.168.5.254

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  SSL-trust outside ASDM_TrustPoint6 point

  WebVPN

  allow outside

  CSD image disk0:/csd_3.5.2008-k9.pkg

  AnyConnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client

  internal VPN_CLIENT_POLICY group policy

  VPN_CLIENT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - 5 concurrent connections

  VPN-session-timeout 480

  client ssl-VPN-tunnel-Protocol

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  myComp.local value by default-field

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  time to generate a new key 30 AnyConnect ssl

  AnyConnect ssl generate a new method ssl key

  AnyConnect client of dpd-interval 30

  dpd-interval gateway AnyConnect 30

  AnyConnect dtls lzs compression

  AnyConnect modules value vpngina

  value of customization DfltCustomization

  internal IT_POLICY group policy

  IT_POLICY group policy attributes

  WINS server no

  value of server DNS 192.168.11.198

  VPN - connections 3

  VPN-session-timeout 120

  Protocol-tunnel-VPN-client ssl clientless ssl

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_CLIENT_ACL

  field default value societe.com

  the address value VPN_CLIENT_POOL pools

  WebVPN

  activate AnyConnect ssl dtls

  AnyConnect Dungeon-Installer installed

  AnyConnect ssl keepalive 20

  AnyConnect dtls lzs compression

  value of customization DfltCustomization

  username vpnuser password PA$ encrypted $WORD

  vpnuser username attributes

  VPN-group-policy VPN_CLIENT_POLICY

  type of remote access service

  Username vpnuser2 password PA$ encrypted $W

  username vpnuser2 attributes

  type of remote access service

  username admin password ADMINPA$ $ encrypted privilege 15

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address VPN_CLIENT_POOL pool

  Group Policy - by default-VPN_CLIENT_POLICY

  VPN Tunnel-group webvpn-attributes

  the aaa authentication certificate

  enable VPN_to_R group-alias

  type tunnel-group IT_PROFILE remote access

  attributes global-tunnel-group IT_PROFILE

  address VPN_CLIENT_POOL pool

  Group Policy - by default-IT_POLICY

  tunnel-group IT_PROFILE webvpn-attributes

  the aaa authentication certificate

  enable IT Group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  inspect the icmp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  : end

  Help me please! Thank you!

  Hello

  Please set ACLs to allow ICMP between these two subnets (192.168.11.0 and 192.168.12.0) and check. It should ping. Let me know if it does not work.

  Thank you

  swap

• A possible bug related to the Cisco ASA "show access-list"?

  We had a strange problem in our configuration of ASA.

  In the "show running-config:

  Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

  Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

  Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

  access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

  access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

  access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

  access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

  access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

  inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

  inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

  Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

  inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

  inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

  Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

  inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

  Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

  Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

  Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

  access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

  inside_access_in list extended access permitted ip object windowsusageVM any newspaper

  inside_access_in list of allowed ip extended access any object testCSM

  inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

  inside_access_in list extended access permit ip host 172.31.254.2 any log

  Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

  inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

  In the "show access-list":

  access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

  access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

  Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

  line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

  line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

  line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

  line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

  allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

  allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

  allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

  allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

  allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

  allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

  access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

  allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

  allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

  allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

  access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

  permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

  access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

  permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

  allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

  access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

  25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

  allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

  permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

  access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

  allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

  allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

  permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

  access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

  allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

  access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

  There is a comment in the running configuration: (line 26)

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

  Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

  Thanks in advance.

  See the version:

  Cisco Adaptive Security Appliance Software Version 4,0000 1

  Version 7.1 Device Manager (3)

  Updated Friday, June 14, 12 and 11:20 by manufacturers

  System image file is "disk0: / asa844-1 - k8.bin.

  The configuration file to the startup was "startup-config '.

  fmciscoasa up to 1 hour 56 minutes

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash M50FW016 @ 0xfff00000, 2048KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

  Number of Accelerators: 1

  Could be linked to the following bug:

  CSCtq12090: ACL note line is missing when the object range is set to ACL

  The 8.4 fixed (6), so update to a newer version and observe again.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni