Citrix mentaframe Enable in ASDM
Dear,
I have a problem on the SSL VPN + Citrix scenarios at the moment.
Currently, I found some resolutions to use "Select Citrix mentaframe" in ASDM. Unfortunately I can not find in ASDM, so is there any equivalent to command CLI "Citrix mentaframe activate?
Thank you
-Ajejin
HTTP-proxy download automatic citrix
Tags: Cisco Security
Similar Questions
-
If I fight with this all day. I tried 3 different machines, including a server.
Essentially, when I try to access my ASA 5510 with the software load ASDM software ever. So I tried to access it via the https://192.168.1.2 management port and installed the software. The software starts up, I get the password and it connects and loads to 100% but does not extend beyond this point. I try then the java applet, and it so up to 100% of load and said "Please wait, the main is to come."
I have http server enabled, and asdm image is oriented correctly
As I said, I tried this on two computers Windows XP and a computer that is running Server 2008.
I can connect through CLI all day and all night, but I would have preferred (read feel much safer) by configuring it via ASDM.
Here is some information of the system version
Cisco Adaptive Security Appliance Software Version 7.0 (8)
Version 5.0 device management (8)
Updated Sunday, 31 May 08 23:48 by manufacturers
System image file is "disk0: / asa708 - k8.bin.
I suggest that you look at and see if you meet the requirements of system, especially for Java. If you do, I would suggest load a different version of Ministers DEPUTIES on the SAA, which always seems to solve the problem you are experiencing.
http://www.Cisco.com/en/us/docs/security/ASA/asa70/asdm50/release/notes/RN508.html
-
S2S VPN Asa 5510 to 5505 no traffic passing (hair Pulling)
I have one site to another configured between a 5505 and ASA 5510, the tunnel is in place but can not pass any traffic one way or another. A 5510, 8.4.3 while the 5505 was 8.2. I find the version 8.2 the less confusing when configure the VPN. The new NAT throws me for a loop on the 5510. I have 1 tunnel upward and will already and it works fine. But when I do a new online, it won't pass any traffic.
The traffic I'm EFS is 5510 (192.168.180.0/24, 172.25.11.0/24)<-------> 5505 (192.168.197.0/24) many thanks in advance!
Here's the configs for the two.
main site of 5510
ASA Version 8.4(3) ! hostname ASA5510 domain-name fphc.us enable password dmbm8Lq9pBST.0kk encrypted passwd dmbm8Lq9pBST.0kk encrypted names ! interface Ethernet0/0 nameif Outside security-level 0 ip address x.x.x.130 255.255.255.240 ! interface Ethernet0/1 nameif Inside security-level 100 ip address 192.168.180.253 255.255.254.0 ! interface Ethernet0/2 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Inside dns server-group DefaultDNS name-server 192.168.180.231 name-server 192.168.180.232 name-server 192.168.180.233 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj-192.168.180.0 subnet 192.168.180.0 255.255.254.0 object network obj-192.168.188.0 subnet 192.168.188.0 255.255.255.0 object network obj-216.86.7.128 subnet x.x.x.128 255.255.255.240 object network Mobile_Unit subnet 192.168.193.0 255.255.255.0 object network obj-172.27.0.0 subnet 172.27.0.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-172.25.11.0 subnet 172.25.11.0 255.255.255.0 object network obj-172.35.0.0 subnet 172.35.0.0 255.255.254.0 object network SpamBox_1 host 192.168.180.244 object network SpamBox_2 host 192.168.180.248 object network Exchange host 192.168.180.235 object network PMG subnet 192.168.178.0 255.255.255.0 object network Outside_Gateway host x.x.x.129 object network AHCCN subnet 172.35.0.0 255.255.254.0 object network MM subnet 10.90.254.0 255.255.255.0 object network NETWORK_OBJ_172.27.0.0_25 subnet 172.27.0.0 255.255.255.128 object network NETWORK_OBJ_172.27.0.0_26 subnet 172.27.0.0 255.255.255.192 object network obj-172.35.1.199 host 172.35.1.199 object network obj-192.168.51.5 host 192.168.51.5 object service 6004 service udp destination eq 6004 object network AT_Remote subnet 192.168.197.0 255.255.255.0 object-group service DM_INLINE_SERVICE_2 service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp-udp destination eq www object-group network DM_INLINE_NETWORK_1 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_2 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_3 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_16 network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object source-quench object-group network DM_INLINE_NETWORK_5 network-object object AHCCN network-object object MM network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_6 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_4 service-object icmp service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_5 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_6 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object tcp destination eq ssh service-object icmp echo service-object icmp echo-reply service-object udp destination eq ntp service-object udp destination eq time object-group service DM_INLINE_SERVICE_0 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp service-object tcp-udp destination eq domain service-object object 6004 object-group network DM_INLINE_NETWORK_7 network-object object MM network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_8 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group service DM_INLINE_SERVICE_7 service-object tcp-udp destination eq domain service-object object 6004 service-object icmp echo service-object icmp echo-reply service-object tcp destination eq www service-object tcp destination eq https service-object tcp destination eq smtp object-group network DM_INLINE_NETWORK_10 network-object 172.25.11.0 255.255.255.0 network-object 172.35.0.0 255.255.254.0 object-group network DM_INLINE_NETWORK_9 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 object-group network DM_INLINE_NETWORK_11 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group network DM_INLINE_NETWORK_13 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_14 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_12 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_3 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service DM_INLINE_SERVICE_8 service-object tcp-udp destination eq domain service-object tcp destination eq smtp service-object udp destination eq ntp object-group service Exchange-6001 udp port-object range 6001 6004 object-group network DM_INLINE_NETWORK_15 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group service DM_INLINE_SERVICE_10 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_9 service-object ip service-object icmp echo service-object icmp echo-reply service-object tcp-udp destination eq domain service-object tcp destination eq citrix-ica service-object tcp destination eq www service-object tcp destination eq https object-group network DM_INLINE_NETWORK_18 network-object object AHCCN network-object object obj-172.25.11.0 object-group network DM_INLINE_NETWORK_19 network-object object obj-172.25.11.0 network-object object obj-172.35.0.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_20 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 object-group network DM_INLINE_NETWORK_17 network-object object AHCCN network-object object obj-172.25.11.0 network-object object obj-192.168.180.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_10 object PMG access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.188.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_7 object obj-172.27.0.0 access-list Outside_1_cryptomap extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_14 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object AT_Remote object-group DM_INLINE_NETWORK_15 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any access-list Outside_access_in extended permit ip object Mobile_Unit object-group DM_INLINE_NETWORK_12 log debugging access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object PMG object-group DM_INLINE_NETWORK_8 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object Exchange access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object SpamBox_1 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object SpamBox_2 access-list Outside_access_in extended permit ip 192.168.188.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 access-list Outside_access_in extended deny ip 127.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 10.0.0.0 255.255.255.0 any log access-list Outside_access_in extended deny ip 169.254.0.0 255.255.0.0 any log access-list Outside_access_in extended deny ip 224.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 239.0.0.0 255.0.0.0 any log access-list Outside_access_in extended deny ip 173.0.0.0 255.0.0.0 any log debugging access-list Outside_access_in extended deny ip 224.0.0.0 255.255.255.31 any access-list Outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any access-list Outside_access_in extended deny ip any any access-list global_mpc extended permit ip any any access-list global_access extended permit udp object obj-172.35.1.199 any eq snmp log disable access-list global_access extended permit ip object obj-172.27.0.0 any access-list splitTunnelAcl standard permit 192.168.180.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.35.0.0 255.255.254.0 access-list splitTunnelAcl standard permit 172.25.11.0 255.255.255.0 access-list splitTunnelAcl standard permit 10.90.254.0 255.255.255.0 access-list Outside_cryptomap_1 extended permit ip object PMG object-group DM_INLINE_NETWORK_13 access-list Inside_access_in extended permit ip object obj_any any access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Exchange any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object SpamBox_1 any log access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object SpamBox_2 any log access-list Inside_access_in extended deny ip any any access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_17 object AT_Remote access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_18 object PMG log access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_3 object Mobile_Unit pager lines 24 logging enable logging timestamp logging emblem logging rate-limit unlimited level 1 logging rate-limit unlimited level 6 logging rate-limit unlimited level 7 mtu Outside 1500 mtu Inside 1500 mtu management 1500 ip local pool Client_Pool 172.27.0.50-172.27.0.100 mask 255.255.255.0 ip local pool RA_POOL 172.27.0.1-172.27.0.49 mask 255.255.255.0 ip verify reverse-path interface Outside ip verify reverse-path interface Inside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any Inside asdm history enable arp timeout 14400 nat (Inside,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static PMG PMG no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static NETWORK_OBJ_172.27.0.0_25 NETWORK_OBJ_172.27.0.0_25 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static NETWORK_OBJ_172.27.0.0_26 NETWORK_OBJ_172.27.0.0_26 no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static obj-192.168.188.0 obj-192.168.188.0 no-proxy-arp nat (Inside,Outside) source static DM_INLINE_NETWORK_19 DM_INLINE_NETWORK_19 destination static Mobile_Unit Mobile_Unit no-proxy-arp route-lookup nat (Inside,Outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static AT_Remote AT_Remote no-proxy-arp route-lookup ! object network obj_any nat (Inside,Outside) dynamic interface object network SpamBox_1 nat (Inside,Outside) static x.x.x.132 object network SpamBox_2 nat (Inside,Outside) static x.x.x.133 object network Exchange nat (Inside,Outside) static x.x.x.131 dns access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside access-group global_access global route Outside 0.0.0.0 0.0.0.0 x.x.x..129 1 route Inside 10.90.254.0 255.255.255.0 192.168.180.1 1 route Inside 172.16.200.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.10.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.11.0 255.255.255.0 192.168.180.200 1 route Inside 172.25.12.0 255.255.255.0 192.168.180.200 1 route Inside 172.27.0.0 255.255.255.0 192.168.180.200 1 route Inside 172.29.0.0 255.255.0.0 192.168.180.200 1 route Inside 172.35.0.0 255.255.254.0 192.168.180.200 1 route Inside 192.168.182.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.183.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.184.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.185.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.186.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.187.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.189.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.190.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.191.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.192.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.194.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.195.0 255.255.255.0 192.168.180.200 1 route Inside 192.168.196.0 255.255.255.0 192.168.180.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server DC's protocol radius max-failed-attempts 5 aaa-server DC's (Inside) host 192.168.180.231 timeout 5 key ***** user-identity default-domain LOCAL http server enable http 192.168.180.0 255.255.255.0 Inside http 0.0.0.0 0.0.0.0 Inside http 172.27.0.0 255.255.255.0 Outside http 172.27.0.0 255.255.255.0 Inside snmp-server group Authentication&Encryption v3 priv snmp-server user trap Authentication&Encryption v3 encrypted auth md5 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78 priv 3des 87:1d:3a:bd:50:49:7d:dc:45:89:a0:dc:c9:66:ed:78:08:c6:ef:b2:7e:89:45:f2:6f:78:b5:01:33:47:68:c9 snmp-server host Inside 172.35.1.199 community ***** version 2c snmp-server host Inside 192.168.180.7 community ***** version 2c snmp-server location MLK snmp-server contact xxxxxxxx snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded snmp-server enable traps cpu threshold rising snmp-server enable traps ikev2 start no sysopt connection reclassify-vpn sysopt connection preserve-vpn-flows crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association lifetime seconds 43200 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 173.10.204.46 crypto map Outside_map 1 set ikev1 phase1-mode aggressive crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 1 set ikev2 pre-shared-key ***** crypto map Outside_map 1 set security-association lifetime seconds 460800 crypto map Outside_map 4 match address Outside_cryptomap_1 crypto map Outside_map 4 set peer 207.190.237.254 crypto map Outside_map 4 set ikev1 phase1-mode aggressive group5 crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA crypto map Outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map Outside_map 4 set security-association lifetime seconds 460800 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map 1 match address Outside_cryptomap_2 crypto map outside_map 1 set peer x.x.x.201 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 match address Outside_cryptomap crypto map outside_map 2 set peer x.x.x.254 crypto map outside_map 2 set ikev1 phase1-mode aggressive group5 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 3 match address Outside_cryptomap_4 crypto map outside_map 3 set peer x.x.216.130 crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Outside crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=FPHC-ASA serial-number keypair LOCAL-CA-SERVER crl configure crypto ca server shutdown crypto ca certificate chain LOCAL-CA-SERVER certificate ca 01 308201ff 30820168 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 13311130 0f060355 04031308 46504843 2d415341 301e170d 31323039 32303232 34393034 5a170d31 35303932 30323234 3930345a 30133111 300f0603 55040313 08465048 432d4153 4130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100e841 eeca425c 20c47a19 3b335924 30281111 cff571d7 0bb63dd8 5f3194f5 59d99cb1 60269694 aa13c591 505e0575 2de5ebb1 92d7c931 807f807b 6e84ee54 1da4ccaf 1f109f53 94c6e567 a8064e27 e27f3ea0 94f7bf32 2fe6064c c2bbcd0d 7b0f8806 8614fcf9 80c6e4e1 83da75c5 080c7117 09e1d574 f17de8ac 1da4f2f9 f6e10203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 144cb3da 6b6a5a14 c4b78674 49609b6b 8e58ea5f a3301d06 03551d0e 04160414 4cb3da6b 6a5a14c4 b7867449 609b6b8e 58ea5fa3 300d0609 2a864886 f70d0101 05050003 818100e0 7c9e15c3 13068614 788ff4d3 f282a4f4 fde72b00 3b05748f 0a4f68ec 6a7eb5fb 40c6d505 b1c35372 87102173 bb017e4b 2697c8f5 b66395f2 1418c77c 3e959343 84674b96 33558a08 629336c8 39c742bf 6b727b00 388a7102 8619cb5a e4227aaf b58e267c 9e8b23d6 94cdc789 eb29cd96 1e579770 a2aa58ab 40694bb9 12888d quit crypto ca certificate chain ASDM_TrustPoint0 certificate bd555b50 308201f7 30820160 a0030201 020204bd 555b5030 0d06092a 864886f7 0d010105 05003040 3111300f 06035504 03130846 5048432d 41534131 2b301206 03550405 130b4a4d 58313632 33583130 51301506 092a8648 86f70d01 09021608 46504843 2d415341 301e170d 31323039 32303232 35383434 5a170d32 32303931 38323235 3834345a 30403111 300f0603 55040313 08465048 432d4153 41312b30 12060355 0405130b 4a4d5831 36323358 31305130 1506092a 864886f7 0d010902 16084650 48432d41 53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100e8 41eeca42 5c20c47a 193b3359 24302811 11cff571 d70bb63d d85f3194 f559d99c b1602696 94aa13c5 91505e05 752de5eb b192d7c9 31807f80 7b6e84ee 541da4cc af1f109f 5394c6e5 67a8064e 27e27f3e a094f7bf 322fe606 4cc2bbcd 0d7b0f88 068614fc f980c6e4 e183da75 c5080c71 1709e1d5 74f17de8 ac1da4f2 f9f6e102 03010001 300d0609 2a864886 f70d0101 05050003 8181008b c7a3e119 f1c6f60c 56ab7fd4 5096cfdf abb44331 fe3a0249 7f5fe79b 38a044c2 9a8b907d 12feba5d 6298a414 c4973369 040585b8 26b8b29e dfe7e226 0b10d08e 03658648 2fb0233e 27204339 c5a1c270 a0fec5b4 834340ac 9afefe75 4f802cb6 fb21b89c 9016e32c 2e772c00 191d23e0 036c4321 93a43b48 a6b682af 5dd5c0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 enable management crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 192.168.180.0 255.255.255.0 Inside telnet 172.27.0.0 255.255.255.0 Inside telnet timeout 10 ssh 192.168.180.0 255.255.255.0 Inside ssh 172.27.0.0 255.255.255.0 Inside ssh timeout 20 console timeout 0 management-access Inside vpn load-balancing interface lbpublic Outside interface lbprivate Inside threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 50.77.217.185 source Outside prefer ntp server 216.171.120.36 source Outside webvpn group-policy "S2S-RA-Group Policy" internal group-policy "S2S-RA-Group Policy" attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client group-policy DfltGrpPolicy attributes vpn-filter value Inside_nat0_outbound vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless group-policy GroupPolicy_x.x.x.46 internal group-policy GroupPolicy_x.x.x.46 attributes vpn-filter value Outside_1_cryptomap vpn-tunnel-protocol ikev1 ikev2 group-policy GroupPolicy_x.x.x.254 internal group-policy GroupPolicy_x.x.x.254 attributes vpn-filter value Outside_cryptomap_1 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec group-policy GroupPolicy_x.x.x.201 internal group-policy GroupPolicy_x.x.x.201 attributes vpn-filter value Outside_cryptomap_2 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_x.x.216.130 internal group-policy GroupPolicy_x.x.216.130 attributes vpn-tunnel-protocol ikev1 group-policy VPN-GROUP2 internal group-policy VPN-GROUP2 attributes dns-server value 192.168.180.231 192.168.180.232 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us group-policy VPN-GROUP internal group-policy VPN-GROUP attributes dns-server value 192.168.180.231 192.168.180.232 vpn-filter value splitTunnelAcl vpn-tunnel-protocol ikev1 l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value splitTunnelAcl default-domain value fphc.us username mark password YTp0IwzeNwb5kS8J encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes default-group-policy VPN-GROUP tunnel-group x.x.x.46 type ipsec-l2l tunnel-group x.x.x.46 general-attributes default-group-policy GroupPolicy_x.x.x.46 tunnel-group x.x.x.46 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group x.x.x.201 type ipsec-l2l tunnel-group x.x.x.201 general-attributes default-group-policy GroupPolicy_x.x.x.201 tunnel-group x.x.x.201 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group VPN-GROUP type remote-access tunnel-group VPN-GROUP general-attributes address-pool Client_Pool authentication-server-group DC's default-group-policy VPN-GROUP tunnel-group VPN-GROUP ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.254 type ipsec-l2l tunnel-group x.x.x.254 general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group x.x.x.254 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group VPN-GROUP2 type remote-access tunnel-group VPN-GROUP2 general-attributes address-pool RA_POOL authentication-server-group DC's default-group-policy VPN-GROUP2 tunnel-group VPN-GROUP2 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_x.x.x.130 tunnel-group x.x.x.130 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group PMG type ipsec-l2l tunnel-group PMG general-attributes default-group-policy GroupPolicy_x.x.x.254 tunnel-group PMG ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map global-class match access-list global_mpc class-map inspection_default match default-inspection-traffic class-map http_https description http_https match access-list Outside_access_in ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class global-class user-statistics accounting policy-map http_https class http_https set connection timeout idle 1:15:00 reset user-statistics accounting ! service-policy global_policy global service-policy http_https interface Outside smtp-server 192.168.180.235 prompt hostname context no call-home reporting anonymous Cryptochecksum:fcb4c2d9a982c11054c31ee4db778012 : end
5505 remote site
ASA Version 8.2(5) ! hostname AT-Remote domain-name fphc.us enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 172.35.0.0 AHCCN name 172.25.11.0 AHCCN-1 name 192.168.180.0 FPHC ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport trunk allowed vlan 1,30 switchport trunk native vlan 1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.197.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.201 255.255.255.252 ! ! boot system disk0:/asa825-k8.bin ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 68.87.68.162 name-server 68.87.74.162 domain-name fphc.us dns server-group DNS_Internal name-server 192.168.180.231 name-server 192.168.180.232 domain-name fphc.us same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network obj_any object-group network 172.25.11.0 object-group network 172.35.0.0 object-group network 192.168.180.0 object-group network ASA-FW object-group network Comcast_Outside object-group network AT_Local object-group network NETWORK_OBJ_192.168.197.0_24 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply object-group service DM_INLINE_SERVICE_3 service-object ip service-object icmp echo service-object icmp echo-reply object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp object-group network obj_remote object-group network Franklin_Remote network-object AHCCN-1 255.255.255.0 network-object AHCCN 255.255.254.0 network-object FPHC 255.255.254.0 access-list outside_access_in extended permit ip object-group Franklin_Remote 192.168.197.0 255.255.255.0 access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log debugging access-list inside_access_in extended permit ip any any log access-list inside_access_in extended permit icmp any any echo log access-list outside_1_cryptomap extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat0_outbound extended permit ip 192.168.197.0 255.255.255.0 object-group Franklin_Remote access-list inside_nat_outbound extended permit ip any interface outside pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 101 access-list inside_nat_outbound access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.202 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside http 192.168.197.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt connection preserve-vpn-flows sysopt noproxyarp inside sysopt noproxyarp dmz crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 43200 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.7.130 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 6c2527b9 deb78458 c61f381e a4c4cb66 quit crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet x.x.x.130 255.255.255.255 outside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.197.25-192.168.197.100 inside dhcpd dns 192.168.180.232 68.87.74.162 interface inside dhcpd domain fphc.us interface inside dhcpd enable inside ! dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics host threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-filter value outside_1_cryptomap group-policy GroupPolicy_216.86.7.130 internal group-policy GroupPolicy_216.86.7.130 attributes vpn-filter value inside_nat0_outbound vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group x.x.x.130 type ipsec-l2l tunnel-group x.x.x.130 general-attributes default-group-policy GroupPolicy_216.86.7.130 tunnel-group x.x.x.130 ipsec-attributes pre-shared-key ***** tunnel-group-map default-group DefaultL2LGroup ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect dns ! service-policy global_policy global prompt hostname context : end
Hello
The reason for the DECLINE suggests that the ASA has still attached to the L2L VPN VPN filter configuration that prevents traffic.
Check the configuration and remove atleast VPN filter temporarily for testing purposes.
-Jouni
-------> -
Hello:
I have configured ASA 5505 to acept Cisco VPN Clients on IP-SEC and access internal subnet of tuneling (added a rule exempt NAT too) and the VPN Clients can connect and work without problems.
But no internal network or the ASA I can ping or conect to the VPN Clients.
My configuration:
Internal network: 172.26.1.0 255.255.255.0
The VPN Clients network 172.26.2.0 255.255.255.0
Can you help me?
Here is my configuration:
: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name ftf.es enable password xxxxxxx encrypted passwd xxxxx encrypted names name 217.125.44.23 IP_publica name 172.26.1.100 Servidor name 192.168.1.3 IP_externa name 192.168.2.3 IP_Externa2 name 172.26.2.0 VPN_Clients ! interface Vlan1 nameif inside security-level 100 ip address 172.26.1.89 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address IP_externa 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 12 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 13 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name ftf.es same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service terminal-server tcp port-object eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list FTFVPN_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list FTFVPN_Group_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0 access-list outside_access_in extended permit tcp any host IP_externa eq 3389 access-list outside_access_in extended permit object-group TCPUDP any host IP_externa eq www access-list FTF_ADSL2_splitTunnelAcl standard permit any access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 VPN_Clients 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 host 172.26.1.199 access-list outside_nat0_outbound extended permit ip VPN_Clients 255.255.255.0 172.26.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn 172.26.1.180-172.26.1.200 mask 255.255.255.0 ip local pool vpn2 172.26.2.100-172.26.2.200 mask 255.255.255.0 ip local pool vpn3 172.26.3.100-172.26.4.150 mask 255.255.255.0 ip local pool vpn4 172.26.1.240-172.26.1.250 mask 255.255.255.0 ip local pool FTFVPN_Pool 176.26.1.150-176.26.1.170 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 Servidor 3389 netmask 255.255.255.255 static (inside,outside) tcp interface www Servidor www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.26.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 100 set pfs group1 crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_SHA crypto dynamic-map outside_dyn_map 120 set pfs group1 crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 172.26.1.90-172.26.1.217 inside ! webvpn enable outside url-list FTFVLC "DYNAMICS" cifs://172.26.1.100 1 port-forward TEST 3389 172.26.1.100 3389 Terminal Server group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes banner value Bienvenido a la red de FTF dns-server value 172.26.1.100 80.58.32.97 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn split-tunnel-policy tunnelall default-domain value ftf.es group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value vpn2 smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward value TEST port-forward-name value Acceso a aplicaciones sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate group-policy FTFVPN_Group internal group-policy FTFVPN_Group attributes dns-server value 172.26.1.100 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value FTFVPN_Group_splitTunnelAcl default-domain value ftf.es address-pools value vpn2 group-policy VPNSSL internal group-policy VPNSSL attributes vpn-tunnel-protocol IPSec l2tp-ipsec webvpn webvpn functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy auto-download citrix username raul password xxxxxx encrypted privilege 0 username raul attributes vpn-group-policy FTFVPN_Group tunnel-group DefaultRAGroup general-attributes address-pool vpn2 default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultWEBVPNGroup general-attributes default-group-policy VPNSSL tunnel-group DefaultWEBVPNGroup webvpn-attributes nbns-server Servidor master timeout 5 retry 3 tunnel-group FTFVPN_Group type ipsec-ra tunnel-group FTFVPN_Group general-attributes address-pool vpn2 default-group-policy FTFVPN_Group tunnel-group FTFVPN_Group ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f5e713652d4a2e2623248d7e49086105 : end asdm image disk0:/asdm-524.bin asdm location Servidor 255.255.255.255 inside asdm location IP_publica 255.255.255.255 inside asdm location IP_externa 255.255.255.255 inside asdm location IP_Externa2 255.255.255.255 inside asdm location VPN_Clients 255.255.255.0 inside no asdm history enable
Raul,
I don't see to apply ACLs inside the interface or as vpn-filter that will prevent the PING of the SAA within the intellectual property to the VPN client.
Are you sure that the VPN client does not have the Windows Firewall on or antivirus software that prevents to respond to PING?
Federico.
-
L2TP - impossible to find a group valid tunnel
Hello
I'm sure this is a simple solution, but I don't see what I'm missing.
Any help please?
Get the following errors in debugging.
[IKEv1]: invalid tunnel, leaving group = 95.83.254.91, IP = 95.x.x.x, impossible to find a group...!
23 September 14:26:05 [IKEv1]: IP = 95.x.x.x, invalid header, lack of payload SA! (next payload = 4)Group of tunnel I want to use is Remote-L2TP
Attached config.
ASA Version 8.2 (5)
!
ciscoasa hostname
domain xxxxx.local
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name 192.168.1.40 description CCTV system CCTV_System
name x.x.x.x outside outside interface description
description of the SERVER name server 192.168.1.1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
192.168.1.222 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address outside 255.255.255.252
!
passive FTP mode
clock timezone GMT/IST 0
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 89.191.34.249
domain xxxxx.local
object-group service CCTV tcp
port-object eq 9010
object-group service CCTV_NEW tcp - udp
port-object eq 9091
object-group service BlackBerry tcp - udp
port-object eq 3101
object-group service NSM tcp - udp
port-object eq 886
object-group service RDP tcp - udp
EQ port 3389 object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
outside_access_in list extended access allowed object-group TCPUDP any host outside eq 9091
outside_access_in list extended access allowed object-group TCPUDP any host outside eq 886
outside_access_in list extended access allowed object-group TCPUDP any host outside eq 3101
outside_access_in list extended access permit tcp any host outside eq https
outside_access_in list extended access permit tcp any interface outside eq pptp
outside_access_in list extended access allowed esp any external interface
outside_access_in list extended access permit udp any interface outside isakmp eq
outside_access_in list extended access permit udp any interface outside eq 4500
outside_access_in list extended access permit udp any interface outside eq 1701
standard access list for distance-VPN-Gp_splitTunnelAcl permit 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.25.0 255.255.255.192
RemoteVPN_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
VPN-GP_splitTunnelAcl-list of allowed access standard 192.168.1.0 255.255.255.0
standard L2TP_splitTunnelAcl-Remote Access-list allowed 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of local pool Remote-DHCP-POOL 192.168.25.10 - 192.168.25.50 IP 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
public static 9091 9091 CCTV_System netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 886 886 SERVER netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static 3101 3101 SERVER netmask 255.255.255.255 interface tcp (indoor, outdoor)
public static tcp (indoor, outdoor) interface https SERVER https netmask 255.255.255.255
public static tcp (indoor, outdoor) pptp pptp netmask 255.255.255.255 SERVER interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 89.191.53.17 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac trans
Crypto ipsec transform-set trans transport mode
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Crypto-map Dynamics dyno 20 transform-set trans
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto 20-isakmp ipsec vpn Dynamics dyno
vpn outside crypto map interface
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = ciscoasa
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
string encryption ca ASDM_TrustPoint0 certificates
certificate 5eb57b56
3082016a 30820201 a0030201 0202045e b57b5630 0d06092a 864886f7 0d 010105
3111300f 05003045 06035504 03130863 6973636f 61736131 30302e06 092 has 8648
09021621 63697363 6f617361 2e627574 6 c 657274 6563686e 6f6c6f67 86f70d01
6965732e 6c6f6361 6c301e17 313630 39313931 33303732 395a170d 32363039 0d
a 31373133 30373239 5 304531 11300f06 03550403 13086369 73636f61 73613130
2a 864886 f70d0109 6973636f 02162163 6173612e 6275746c 65727465 302e0609
63686e6f 6c6f6769 65732e6c 6f63616c 30819f30 0d06092a 864886f7 0d 010101
8 D 003081 89028181 05000381 008e76a6 2ad8e079 15814471 df2c3309 abdc0ae7
1c665f5f bb09154b 1ac3fd81 930b29cb 6da29338 738c 9373 a0b30f61 a1d08aa9
f5ef926b 11ef1e22 e8beeb5f c6606090 7a71b367 cad571c5 56331678 d83d4bb4
9f98a565 577cccd6 dc20e190 c7128cf2 e38d3ad1 37807440 3da501c2 14bbbe02
45abf677 89248633 d 05589d 4886f70d 01010505 55 75020301 0001300 06092a 86
000a7b9d 00038181 3e29b1d9 8459309b 5e24606a cae0710e b9e264f4 a61125b9
2f431f3a 5c4a9485 fe9bc0b0 9f9f7072 13abd978 243e0542 e34642d6 ae33028d
be03b9e9 56c693ab b082932d b44ab014 9366c0d4 529a7ff5 818f7293 2026521b
52fcf5c7 d623f7fa 54019c 86 e64a4212 08444c 58 8ccd11d8 4297d18a c4b2de33
2003eaf5 e2
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd outside auto_config
!a basic threat threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP 79.125.112.210 Server
NTP server 193.1.193.157 prefer external source
WebVPN
port 8443
allow outside
DTLS port 8443
SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image
Picture disk0:/sslclient-win-1.1.4.176.pkg 3 SVC
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
WebVPN
SVC request enable
internal RemoteVPN group strategy
attributes of Group Policy RemoteVPN
value of server DNS 192.168.1.1 192.168.1.2
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RemoteVPN_splitTunnelAcl
XXXX.local value by default-field
internal strategy group at distance-VPN-GP
remote control-VPN-GP group policy attributes
value of 192.168.1.1 DNS server
Protocol-tunnel-VPN IPSec
XXXXX.local value by default-field
internal strategy group to distance-L2TP
L2TP remote group policy attributes
value of server DNS 192.168.1.1 192.168.1.2
VPN-tunnel-Protocol webvpn
username privilege 15 encrypted v5FJjvsPy8PsIOtZ xxxxpassword
attributes of username xxxx
VPN-group-policy RemoteVPN
xxxxx YeC9t79Bj2E5FxxV username encrypted password
attributes of username xxxxx
Strategy-Group-VPN Remote - L2TP
2KXeP2Ggcoa6BTsozucgAA password xxxxx user name is nt encrypted
remote access of type tunnel-group to distance-VPN-GP
distance-VPN-GP-global attributes tunnel-group
Remote control-DHCP-POOL-pool of addresses
Group Policy - by default-remote control-VPN-GP
tunnel-group GP-remote control-VPN ipsec-attributes
pre-shared key *.
type tunnel-group Remote-L2TP remote access
attributes global-tunnel-group Remote-L2TP
Remote control-DHCP-POOL-pool of addresses
Group Policy - by default-remote-L2TP
tunnel-group Remote-L2TP ipsec-attributes
pre-shared key *.
tunnel-group Remote-L2TP ppp-attributes
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:c4b7c39420a91e2f7bb4adc5e5a8539b
: end
ciscoasa (config) #.Hello
I see same Phase 2 is completed in the newspapers, so more than a customer issue.
On the Security tab in the connection on the client profile, check if you have allowed the correct password and security protocols:
https://www.SoftEther.org/4-docs/2-HOWTO/9.L2TPIPsec_Setup_Guide_for_Sof...
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hi all
Two years ago I had (finally) updated vpn in place, but I had to nuke the configuration later (for a long time to remember why).
My configuration:
Accelerator edge of Cisco ASA 5505 (revision 0 x 0)
Base license.
Cisco Adaptive Security Appliance Software Version 8.4 (2)
Version 6.4 Device Manager (5)I created a DMZ and an indoor and outdoor area.
All servers are Linux servers without a head.
(I recently had to re - create the servers because of a damaged drive).
So Setup is as follows:
A main linux server also works as virtualbox host.
A dmz-www-server and a server-ftp-dmz.
I'll add a server linux for git and a few others.
My first goal is to be able to reach the primary server with SSH. Second, to reach other servers on the network.
I also want to use the cisco vpn client open source Linux and cisco VPN client which I also use to connect to other customers.
Here is my current setup:
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5switchport access vlan 300
Speed 100
full duplex
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
DHCP IP address
!
interface Vlan300
prior to interface Vlan1
nameif dmz
security-level 50
IP 192.168.2.1 255.255.255.0
!passive FTP mode
clock timezone THATS 1
clock to summer time recurring CEDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
name-server 192.168.1.8
Server name 193.75.75.75
Server name 193.75.75.193
Name-Server 8.8.8.8
domain name to inside - sport.no
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
the object to the Interior-net network
subnet 192.168.1.0 255.255.255.0
network dmz webserver object
Home 192.168.2.100
Web server host object description
network dmz-ftpserver object
Home 192.168.2.101
Description purpose of FTP server hostnetwork of the DMZ.net object
Subnet 192.168.2.0 255.255.255.0
Service FTP object
tcp source eq ftp service
service object WWW
tcp source eq www service
outside_access_in list extended access permit tcp any host 192.168.2.101 eq ftp
outside_access_in list extended access permit tcp any host 192.168.2.100 eq www
inside_access_dmz list extended access permit tcp any object DMZ.net 1 65535 range
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (dmz, external) source service interface static Web WWW WWW server dmz
NAT (dmz, external) source service interface static dmz-ftpserver FTP FTP
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
the object to the Interior-net networkNAT dynamic interface (indoor, outdoor)
network of the DMZ.net object
NAT (dmz, outside) dynamic interface
Access-group outside_access_in in interface outside
Access-group inside_access_dmz in dmz interface
Route outside 0.0.0.0 0.0.0.0 173.194.32.34 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authorization command
AAA authorization exec-authentication server
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contactServer enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
management-access insidedhcpd dns 192.168.1.1 193.75.75.75
dhcpd inner - sport.no
dhcpd outside auto_config
!
dhcpd address 192.168.1.20 - 192.168.1.49 inside
dhcpd dns 192.168.1.1 interface inside
dhcpd sport.no area inside - inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detectionno statistical threat detection tcp-interception
WebVPN
Bernard of encrypted foooo privilege 15 password username
th baaar of encrypted privilege 15 password username
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinnyinspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:88cf7ca3aa1aa19ec0418f557cc0fedfIf you are looking for just a remote access VPN configuration, you could do something like the following just change the names and IP addresses as needed:
local IP 10.10.10.1 VPNPOOL pool - 10.10.10.10
IKEv1 crypto policy 5
preshared authentication
aes encryption
sha hash
Group 5Crypto ipsec transform-set ikev1 VPNSET aes - esp esp-sha-hmac
Dynamic crypto map DYNMAP 65535 ikev1 set transform-set VPNSET
Dynamic crypto map DYNMAP reverse-route value 65535
card crypto VPNMAP 65535-isakmp dynamic ipsec DYNMAP
VPNMAP interface card crypto outsideCrypto ikev1 allow outside
tunnel-group VPNGROUP type remote access
IPSec-attributes tunnel-group VPNGROUP
IKEv1 pre-shared key PASSWORDmanagement-access inside
--
Please do not forget to select a correct answer and rate useful posts
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
do not access my home network via antconnect
I am able to connect through the anyconnect client and get an ip address, but I am not able to access my administration (internal network)
Administration = 10.18.1.120
VPN pool = 172.16.10.0/28
10.17.13.120 outside
This is my config
ASA 1.0000 Version 2
!
!
interface GigabitEthernet0/0
nameif administration
security-level 100
IP 10.18.1.120 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 10.17.13.120 255.255.0.0
!
interface GigabitEthernet0/2
nameif admin-out13
security-level 0
IP 10.13.1.120 255.255.0.0
!
interface GigabitEthernet0/3
nameif VOIP
security-level 0
IP 10.90.100.120 255.255.0.0
!
passive FTP mode
network of the NETWORK_OBJ_172.16.10.0_29 object
subnet 172.16.10.0 255.255.255.248
network of the Admin_Email_Server object
Home 10.18.4.120
e-mail Description admin server
network of the Admin_Srv_Farm object
10.18.4.0 subnet 255.255.255.0
Description subenet where the admin servers are hosted
ICMP-type of object-group ICMP_Group
alternate address ICMP-object
ICMP-object-conversion error
echo ICMP-object
response to echo ICMP-object
ICMP-object information-response
ICMP-object-request for information
ICMP object-mask-reply
Mask-request ICMP-object
ICMP-object mobile-redirect
ICMP-object-parameter problem
redirect ICMP-object
ICMP-object-announcement of router
ICMP-object-solicitation of router
Object-ICMP source-quench
ICMP-object has exceeded the time
ICMP-object-response to timestamp
Timestamp-request ICMP-object
Object-ICMP traceroute
ICMP-unreachable object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
pager lines 24
Enable logging
asdm of logging of information
management of MTU 1500
administration of MTU 1500
Outside 1500 MTU
Admin-out13 MTU 1500
ip_phones MTU 1500
local pool ADMIN_VPN_POOL 172.16.10.1 - 172.16.10.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 66114.bin
don't allow no asdm history
ARP timeout 14400
NAT (administration, outside) static source any any static destination NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 non-proxy-arp-search to itinerary
public static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 destination NAT (outside directors) static source Admin_Srv_Farm Admin_Srv_Farm
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 10.18.0.0 255.255.0.0 administration
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = admin-pare-fire
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.90.100.1 - 10.90.100.100 ip_phones
dhcpd 4.2.2.2 dns 8.8.8.8 interface ip_phones
dhcpd lease 1800 interface ip_phones
dhcpd field uz.ac.zw interface ip_phones
dhcpd option 3 ip 10.90.1.254 interface ip_phones
ip_phones enable dhcpd
!
!
maximum session 1000 TLS-proxy
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect profiles ITADMIN_VPN_client_profile disk0: / ITADMIN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_ITADMIN_VPN group strategy
attributes of Group Policy GroupPolicy_ITADMIN_VPN
WINS server no
value of 10.18.4.120 DNS server 10.50.7.178
client ssl-VPN-tunnel-Protocol ikev2
uz.AC.ZW value by default-field
WebVPN
AnyConnect value ITADMIN_VPN_client_profile type user profiles
webster nwgth7HVlZ/qiWnP password encrypted username
webster username attributes
type of remote access service
username admin password encrypted xxxxxxxxxxx privilege 15
username user2 encrypted password privilege 15 xxxxxxxxxxx
attributes of user user2 name
type of remote access service
type tunnel-group ITADMIN_VPN remote access
attributes global-tunnel-group ITADMIN_VPN
address ADMIN_VPN_POOL pool
Group Policy - by default-GroupPolicy_ITADMIN_VPN
tunnel-group ITADMIN_VPN webvpn-attributes
enable ITADMIN_VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c9820a69d5b4fb9e3f7cce253f2450e4After the addition of administration management-access command, please check if you are able to ping to the administration interface (ip = 10.18.1.120) of the remote user's machine. In addition, run this command on the ASA.
Packet-trace entry administration icmp
8 0 detailed Once you run this copy please order the output and the share here. Please see links to the ip address of the host, sitting behind the administration interface that you think that the ip address of the internal host should be able to ping from outside. Assigned ip address is the ip address that is assigned to the pool anyconnect client.
Share the details here and we will be able to understand the question.
Thank you
Vishnu
-
After Anyconnect I can't access to asa and LAN
Dear all,
My office use ASA 5505 and I use anyconnect from outside (sometimes overseas), I can connect to my network and business by ASA, internet access, but I can't access ASA and LAN (network of my client). WHY?
Office 192.168.10.0/24
192.168.11.0/24 VPN
How can I solve this problem?
ASA Version 9.2 (3)
!
ciscoasa hostname
activate the encrypted password of XXXXXXXXXX
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd encrypted XXXXXXXXXX
names of
192.168.11.1 mask - 192.168.11.10 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP AAA. BBB. CCC DDD EEE. FFF. GGG. HHH
!
boot system Disk0: / asa923 - k8.bin
passive FTP mode
clock timezone 8 HKST
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic intra-interface
network of the VPN_Pool object
subnet 192.168.11.0 255.255.255.240
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
DefaultRAGroup_splitTunnelAcl_1 list standard access allowed 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-731 - 101.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
interface NAT (outside, outside) dynamic source VPN_Pool
NAT (inside, outside) static source any any static destination VPN_Pool VPN_Pool non-proxy-arp-search to itinerary
!
!
NAT source auto after (indoor, outdoor) dynamic one interface
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 AAA. BBB. CCC DDD. 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Activate Server http XXXXX
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA SHA-ESP-3DES ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-ESP ESP-3DES-SHA-TRANS TRANS-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint Anyconnect_Self_Signed_Cert
registration auto
name of the object CN = ciscoasa
Configure CRL
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
name of the object CN = 115.160.145.114, CN = ciscoasa
Configure CRL
trustpool crypto ca policy
string encryption ca Anyconnect_Self_Signed_Cert certificates
certificate 5c7d4156
308202d 4 308201bc a0030201 0202045c 415630 0d06092a 864886f7 0d 010105 7 d
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a 8648
09021608 63697363 6f617361 31353131 31303131 31363231 301e170d 86f70d01
5a170d32 35313130 37313131 3632315a 302 c 3111 55040313 08636973 300f0603
636f6173 61311730 1506092a 864886f7 0d 010902 16086369 73636f61 73613082
0122300d 06092 has 86 01010105 00038201 0f003082 010a 0282 010100cc 4886f70d
af43a895 8c2c3f49 ad16c4b9 a855b47b 773f4245 1954c 728 7 c 568245 6ddc02ab
78 c 45473 eb4073f6 401d1dca 050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa
454ff4bb 691235ab 34e21d98 4cfecef4 204e9c95 76b1b417 b5cf746c 830788b 4
60063e89 0ffe5381 42694cf8 d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67
4ad8954f 5392790b 4ded225c c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a
d054a290 14316cc0 1670bdea f04c828b 7f9483fb 409fa707 fbe5a257 33597fed
ca790881 b1d4d3dc b0e1095e bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1
8b9421fa ee2b99ae df07fba1 0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02
03010001 300 d 0609 2a 864886 05050003 82010100 c8719770 1305bd9c f70d0101
2608f039 0dc6b058 0dfe3d88 76793 has 18 8f601dda b 8553, 893 d95e3b25 30ef7354
772f7d0b 772869d 7 372f8f5c f32992af fa2c8b6e 0f0ae4ce 4e068b8d b7916af2
affa1953 5bfd01a6 1a3c147d 75d95d8c 1122fa85 3905f27b 2474aff4 11fff24f
c305b648 b4c9d8d4 9dcf444b 9326cda3 0c4635d0 90ff8dd8 9444726c 82e002ec
be120937 0414c20a 39df72fb 76cd9c38 cde9afda 019e9230 66e5dba8 ed208eae
5faabb85 ff04f8f2 c36b724b 62ec52cc f967ee1d 1a6458fc 507a 2377 45 c 20635
2c14c431 baac678a dcc20329 4db7aa51 02c 36904 75b5f307 f1cc056d 726bc436
597a 3814 4ccd421d cb77d8f5 46a8ae69 2d617ac8 2160d7af
quit smoking
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 5d7d4156
308201f0 30820308 a0030201 0202045d 415630 0d06092a 864886f7 0d 010105 7 d
05003046 06035504 03130863 61736131 18301606 03550403 6973636f 3111300f
130f3131 352e3136 302e3134 352e3131 1506092a 34311730 864886f7 0d 010902
73636f61 16086369 7361301e 170d 0d 323531 3135 31313130 31323136 35395a 17
3111300f 06035504 03130863 6973636f 61736131 a 31303731 32313635 395, 3046
18301606 03550403 130f3131 352e3136 302e3134 352e3131 1506092's 34311730
864886f7 0d 010902 16086369 73636f61 73613082 0122300d 06092 has 86 4886f70d
01010105 00038201 0f003082 010 has 0282 010100cc af43a895 8c2c3f49 ad16c4b9
a855b47b 773f4245 1954c 728 7 c 78 45473 eb4073f6 401d1dca 568245 6ddc02ab
050dc53f cfb93f58 68087f6d 03334fc 1 53f41daa 454ff4bb 691235ab 34e21d98
b 830788 4 4cfecef4 204e9c95 76b1b417 b5cf746c 60063e89 0ffe5381 42694cf8
d1be20d4 4c95d9c6 93041af2 94783de0 fe93cf67 4ad8954f 5392790b 4ded225c
c3128cba 8d3ee07b f9fd2208 34b1956c be0a774a d054a290 14316cc0 1670bdea
f04c828b 7f9483fb 409fa707 fbe5a257 33597fed ca790881 b1d4d3dc b0e1095e
bf04014e 19c5cfeb f74aac57 ee39cd6e 7389cdd1 8b9421fa ee2b99ae df07fba1
0b506cd8 ea9f64c5 dd9169ad 157fcdb7 f6cfff02 03010001 300 d 0609 2a 864886
05050003 82010100 00089cd 3 d0f65c5e 91f7ee15 bbd98446 35639ef9 f70d0101
45b 64956 f146234c 472b52e6 f2647ced a109cb6b 52bf5f5d 92471cb7 a3a30b63
052ac212 c6027535 16e42908 ea37c39a 4d203be9 8c4ed8cd 40935057 3fe8a537
a837c75c feff4dcc 1b2fd276 257f0b46 8fcd2a5c cbdcacec cd14ee46 be136ae7
7cd4ae0d aace54fe 5187ea57 40d2af87 cded3085 27d6f5d8 1c15ef98 f95cc90e
a 485049 4 805efa8f 63406609 a663db53 06b94e53 07c1c808 61eadcdb 2c952bee
74a0b3dd ae262d84 40b85ec5 a89179b2 7e41648e 93f0e419 3c482b29 e482d344
d756d450 8f0d9302 d023ac43 a31469a4 105c8a0c b1418907 693c558c 08f499ef
364bc8ba 4543297a a17735a0
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint Anyconnect_Self_Signed_Cert
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assigndhcpd 192.168.10.254 dns 8.8.8.8
dhcpd rental 43200
!
dhcpd address 192.168.10.1 - 192.168.10.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP AAA server. BBB. CCC. Source DDD outside prefer
SSL-point of approval ASDM_Launcher_Access_TrustPoint_0 outside vpnlb-ip
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
AnyConnect profiles Anyconnect_client_profile disk0: / Anyconnect_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal DefaultRAGroup_2 group strategy
attributes of Group Policy DefaultRAGroup_2
DNS-server AAA value. BBB. CCC AAA DDD. BBB. CCC DDD.
Ikev2 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
internal GroupPolicy_Anyconnect group strategy
attributes of Group Policy GroupPolicy_Anyconnect
WINS server no
value of server DNS 8.8.8.8 8.8.4.4
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
Split-tunnel-policy tunnelall
IPv6-split-tunnel-policy excludespecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl_1
by default no
activate dns split-tunnel-all
IPv6 address pools no
WebVPN
AnyConnect value Anyconnect_client_profile type user profiles
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
username password XXXXXXX XXXXXXXXXXXXXXX encrypted privilege 15
attributes of username XXXXXXX
Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client
attributes global-tunnel-group DefaultRAGroup
address pool VPN-pool
Group Policy - by default-DefaultRAGroup_2
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared key XXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
ms-chap-v2 authentication
tunnel-group Anyconnect type remote access
tunnel-group Anyconnect General attributes
address pool VPN-pool
Group Policy - by default-GroupPolicy_Anyconnect
NAT - to-public-ip assigned inside
tunnel-group Anyconnect webvpn-attributes
enable Anyconnect group-alias
tunnel-group Anyconnect ppp-attributes
ms-chap-v2 authentication
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
inspect the tftp
Review the ip options
!
service-policy-international policy global
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:24991680b66624113beb31d230c593bb
: endHi cwhlaw2009,
You must configure a policy Split-tunnel, if you want to be able to access the internal and local network at the same time.
It may be useful
-Randy-
-
ASA 5505. VPN Site-to-Site does not connect!
Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!Config:
Output of the command: "sh run".
: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b
c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: enddoor-71 # sh crypto ikev1 hisThere are no SAs IKEv1
door-71 # sh crypto ikev2 hisThere are no SAs IKEv2
door-71 # sh crypto ipsec his
There is no ipsec security associationsdoor-71 # sh crypto isakmpThere are no SAs IKEv1
There are no SAs IKEv2
Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0
Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9door-71 # sh crypto ca trustpoints
Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.If you need something more, then spread!
Please explain why it is that I don't want to work?Hello
When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.
Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed
Best regards
Amandine
-
Hello
I can't get my work vpn site-to-site. Not only that but I am unable to get an internet connection through my ASA. I need to use the IP address public for my local network provided by IPS = 99.143.97.186 - 190 = 255.255.255.248 subnet mask
I followed this tutorial: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...
can someone please take a look at my settings and help out me? Very much appreciated. Thank you.
See the ciscoasa config (config) #.
: Saved
: Written by enable_15 at 01:12:15.869 UTC Thu Sep 4 2008
!
ASA Version 8.2 (5)
!
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!
interface Vlan3
No nameif
no level of security
no ip address
!
passive FTP mode
access-list extended 100 permit ip 99.143.97.184 255.255.255.248 host 206.127.20.63
99.143.97.184 IP Access-list extended sheep 255.255.255.248 allow host 206.127.20.63
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 206.127.20.63 255.255.255.255 192.168.1.254 1
Route outside 206.127.21.3 255.255.255.255 192.168.1.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 99.143.97.184 255.255.255.248 inside
http 99.143.97.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
correspondence address card crypto outside_map 20 100
peer set card crypto outside_map 20 206.127.21.3
card crypto outside_map 20 transform-set RIGHT
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 99.143.97.187 - 99.143.97.190 inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 206.127.21.3 type ipsec-l2l
IPSec-attributes tunnel-group 206.127.21.3
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:0ab759de3926ddb63f79f18a8422409eciscoasa (config) # show crypto isakmp his
There is no isakmp sas
ciscoasa (config) # show ip performance
!
interface Vlan1
nameif inside
security-level 100
IP 99.143.97.186 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.1.84 255.255.255.0
!You have an interface incorrect configuration: -.
Add these lines and share how it rates:
interface Vlan1
no address ip 99.143.97.186 255.255.255.248
IP 192.168.1.84 255.255.255.0interface Vlan2
no address ip 192.168.1.84 255.255.255.0
IP 99.143.97.186 255.255.255.248Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Cannot access internal network so AnyConnect SSL VPN, ASA 9.1 (6)
Hello Cisco community support,
I have a lab which consists of two virtual environments connected to a 3750-G switch that is connected to a 2901 router which is connected to an ASA 5512 - X which is connected to my ISP gateway. I configured SSL VPN using AnyConnect and can establish a VPN to the ASA from the outside but once connected, I can't access internal network resources or access the internet. My information network and ASA configuration is listed below. Thank you for any assistance you can offer.
ISP network gateway: 10.1.10.0/24
ASA to the router network: 10.1.40.0/30
Pool DHCP VPN: 10.1.30.0/24
Network of the range: 10.1.20.0/24
Development network: 10.1.10.0/24
: Saved
:
: Serial number: FCH18477CPT
: Material: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)
:
ASA 6,0000 Version 1
!
hostname ctcndasa01
activate bcn1WtX5vuf3YzS3 encrypted password
names of
cnd-vpn-dhcp-pool 10.1.30.1 mask - 255.255.255.0 IP local pool 10.1.30.200
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 10.1.40.1 255.255.255.252
!
interface GigabitEthernet0/1
nameif outside
security-level 0
address IP X.X.X.237 255.255.255.248
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa916-1-smp - k8.bin
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_10.1.30.0_24 object
10.1.30.0 subnet 255.255.255.0
network obj_any object
network obj_10.1.40.0 object
10.1.40.0 subnet 255.255.255.0
network obj_10.1.30.0 object
10.1.30.0 subnet 255.255.255.0
outside_access_in list extended access permitted ip object NETWORK_OBJ_10.1.30.0_24 all
FREE access-list extended ip 10.1.40.0 NAT allow 255.255.255.0 10.1.30.0 255.255.255.0
access-list 101 extended allow any4 any4-answer icmp echo
access-list standard split allow 10.1.40.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source obj_10.1.40.0 destination obj_10.1.40.0 static static obj_10.1.30.0 obj_10.1.30.0 non-proxy-arp-search to itinerary
NAT (inside, outside) static source any any static destination NETWORK_OBJ_10.1.30.0_24 NETWORK_OBJ_10.1.30.0_24 non-proxy-arp-search to itinerary
Access-group outside_access_in in interface outside
!
Router eigrp 1
Network 10.1.10.0 255.255.255.0
Network 10.1.20.0 255.255.255.0
Network 10.1.30.0 255.255.255.0
Network 10.1.40.0 255.255.255.252
!
Route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
http X.X.X.238 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = 10.1.30.254, CN = ctcndasa01
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate c902a155
308201cd 30820136 a0030201 020204c 0d06092a 864886f7 0d 010105 9 02a 15530
0500302b 31133011 06035504 03130 has 63 61736130 31311430 12060355 74636e64
0403130 31302e31 2e33302e 32353430 1e170d31 35303731 32303530 3133315a b
170d 3235 30373039 30353031 33315 has 30 2 b 311330 0403130a 11060355 6374636e
64617361 30313114 30120603 55040313 0b31302e 312e3330 2e323534 30819f30
0d06092a 864886f7 010101 05000381 8 d 0d 003081 89028181 00a47cfc 6b5f8b9e
9b106ad6 857ec34c 01028f71 d35fb7b5 6a61ea33 569fefca 3791657f eeee91f2
705ab2ea 09207c4f dfbbc18a 749b19ae d3ca8aa7 3370510b a5a96fd4 f9e06332
4355 db1a4b88 475f96a1 318f7031 40668a4d afa44384 819d fa164c05 2e586ccc
3ea59b78 5976f685 2abbdcf6 f3b448e5 30aa96a8 1ed4e178 0001300 020301 4 d d
06092a 86 01010505 00038181 0093656f 639e138e 90b69e66 b50190fc 4886f70d
42d9b4a8 11828da4 e0765d9c 52d84f8b 8e70747e e760de88 c43dc5eb 1808bd0f
fd2230c1 53f68ea1 00f3e956 97eb313e 26cc49d7 25b927b5 43d8d3fa f212fcaf
59eb8104 98e3a1d9 e05d3bcb 428cd7c6 61b530f5 fe193d15 ef8c7f08 37ad16f5
d8966b50 917a88bb f4f30d82 6f8b58ba 61
quit smoking
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPN-addr-assign local reuse / 360 time
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
Trust ASDM_Launcher_Access_TrustPoint_0 vpnlb-ip SSL-point
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-linux-3.1.09013-k9.pkg 4
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.09013-k9.pkg 5
AnyConnect image disk0:/anyconnect-win-3.1.09013-k9.pkg 6
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_cnd-vpn group policy
GroupPolicy_cnd-vpn group policy attributes
WINS server no
value of server DNS 8.8.8.8
client ssl-VPN-tunnel-Protocol
by default no
xxxx GCOh1bma8K1tKZHa username encrypted password
type tunnel-group cnd - vpn remote access
tunnel-group global cnd-vpn-attributes
address-cnd-vpn-dhcp-pool
strategy-group-by default GroupPolicy_cnd-vpn
tunnel-group cnd - vpn webvpn-attributes
activation of the alias group cnd - vpn
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
service-policy icmp_policy outside interface
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:261228832f3b57983bcc2b4ed5a8a9d0
: end
ASDM image disk0: / asdm - 743.bin
don't allow no asdm historyCan you confirm that this is correct, your diagram shows your IP address public on ASA as 30 while you have assinged on 'outside' interface like 29?
-
Cisco Anyconnect access problem
I configured Anyconnect VPN. I can connect to the VPN from outside successfully but can not ping on my server or map the shared folder.
can someone take a look at the configuration of firewall and help out me.
ASA 9.1 Version 2
!
hostname DASA2
domain JDSYINGAA.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
mask 192.168.78.1 - 192.168.78.254 255.255.255.0 IP local pool Abe_VPN
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 13.15.13.60 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 10
address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
192.168.5.1 IP address 255.255.255.0
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain JDSYINGAA.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.78.0_24 object
192.168.78.0 subnet 255.255.255.0
object-group network
object-network 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
management of MTU 1500
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.78.0_24 NETWORK_OBJ_192.168.78.0_24 non-proxy-arp-search to itinerary
!
NAT automatic interface after (indoor, outdoor) dynamic source
Route outside 0.0.0.0 0.0.0.0 13.15.13.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server JDSYINGAA.com Protocol nt
AAA-server host 192.168.10.2 (inside) JDSYINGAA.com
Timeout 5
auth-JDSYINGAA.com NT domain controller
identity of the user by default-domain LOCAL
Enable http server
http 192.168.5.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
192.168.5.2 management - dhcpd addresses 192.168.5.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow inside
allow outside
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_abeone_VPN group strategy
attributes of Group Policy GroupPolicy_abeone_VPN
WINS server no
value of the DNS-server 192.168.10.2
client ssl-VPN-tunnel-Protocol
value by default-field JDSYINGAA.com
username privilege 15 encrypted password /oETeAnGnysKS53o mt
type tunnel-group Abe_VPN remote access
attributes global-tunnel-group Abe_VPN
address pool Abe_VPN
Group Policy - by default-GroupPolicy_AJDSYINGAA_VPN
tunnel-group Abe_VPN webvpn-attributes
enable Abe_VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group 27 monthly periodic inventory
Subscribe to alert-group configuration periodic monthly 27
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d4a18e6096befdad7d4d7748bcd52ea1
: end
don't allow no asdm history-See more at: https://supportforums.cisco.com/discussion/12541931/anyconnect-vpn#sthas...
Here is my work anyconnect lab configuration.
I deleted the obsolete linesinterface GigabitEthernet0
nameif inside
security-level 100
IP 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
IP 20.20.20.1 255.255.255.252
!the object to the Interior-net network
10.10.10.0 subnet 255.255.255.0
object subnet anyconnect-
172.16.0.0 subnet 255.255.255.0
standard access list permits 10.10.10.0 SPLIT-TUNNEL 255.255.255.0IP local pool anyconnect-172.16.0.10 - 172.16.0.20 mask 255.255.255.0
NAT (inside, outside) static source any any destination static anyconnect subnet subnet anyconnect non-proxy-arp-search to itinerary
the object to the Interior-net network
NAT dynamic interface (indoor, outdoor)WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
AnyConnect enable
tunnel-group-list activateinternal strategy of GP-PROFILE group
GP-PROFILE group policy attributes
value of server DNS 8.8.8.8
Protocol-tunnel-VPN-client ssl clientless ssl
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value of SPLIT TUNNELAuntie username attributes
VPN-group-GP-PROFILE
type of remote access servicetype TG-PROFILE tunnel-group remote access
TG-PROFILE general-attributes tunnel-group
anyconnect-pool address pool
Group Policy - by default-GP-PROFILE
TG-PROFILE webvpn-attributes tunnel-group
enable TG-PROFILE Group-alias!
class-map default_class
match default-inspection-traffic
!
!
Policy-map default_policy
default_class class
inspect the icmp
!
service-policy default_policy outside interface -
I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.
Following configuration:
: Saved
:
ASA Version 8.2 (5)
!
asa5505 hostname
domain BLA
activate the password * encrypted
passwd * encrypted
no names!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 150
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.7.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP EXTERNAL IP 255.255.255.128
!
interface Vlan150
nameif WLAN_GUESTS
security-level 50
IP 10.7.150.1 255.255.255.0
!
boot system Disk0: / asa825 - k8.bin
config to boot Disk0: / running-config
passive FTP mode
clock timezone STD - 7
DNS server-group DefaultDNS
domain BLA
permit same-security-traffic intra-interface
object-group service tcp Webaccess
port-object eq www
EQ object of the https port
object-group network McAfee
network-object 208.65.144.0 255.255.248.0
network-object 208.81.64.0 255.255.248.0
access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
outside_access_in list extended access permit ip host 159.87.64.30 all
standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
IPS_TRAFFIC of access allowed any ip an extended list
access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.7.30.37
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
MTU 1500 WLAN_GUESTS
local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
Access-group inside_access_in in interface inside the control plan
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server ADWM-FPS-02 nt Protocol
AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
Timeout 5
auth-domain NT ADWM-FPS-02 controller
AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
auth-DC NT ADWM-DC02
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 206.169.55.66 255.255.255.255 outside
http 206.169.50.171 255.255.255.255 outside
http 10.7.30.0 255.255.255.0 inside
http 206.169.51.32 255.255.255.240 outside
http 159.87.35.84 255.255.255.255 outside
SNMP-server host within the 10.7.30.37 community * version 2 c
location of the SNMP server *.
contact SNMP Server
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 206.169.55.66
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_cryptomap
peer set card crypto outside_map 2 159.87.64.30
card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint *.
Terminal registration
full domain name *.
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint A1
Terminal registration
fqdn ***************
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint INTERMEDIARY
Terminal registration
no client-type
Configure CRL
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Configure CRL
ca encryption certificate chain *.
certificate ca 0301
BUNCH OF STUFF
quit smoking
A1 crypto ca certificate chain
OTHER LOTS of certificate
quit smoking
encryption ca INTERMEDIATE certificate chain
YET ANOTHER certificate
quit smoking
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca LAST BOUQUET
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.7.30.0 255.255.255.0 inside
Telnet timeout 30
SSH 206.169.55.66 255.255.255.255 outsideSSH timeout 5
Console timeout 0
management-access inside
dhcpd 4.2.2.2 dns 8.8.8.8
!
dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
enable WLAN_GUESTS dhcpd
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5 of sha1
SSL-trust A1 out point
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal VPNUsers group strategy
Group Policy VPNUsers attributes
value of server DNS 10.7.30.20
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_users_splitTunnelAcl
dwm2000.WM.State.AZ.us value by default-field
Split-dns value dwm2000.wm.state.az.us
username HCadmin password * encrypted privilege 15
attributes global-tunnel-group DefaultWEBVPNGroup
address VPN_POOL pool
authentication-server-group ADWM-FPS-02
strategy - by default-VPNUsers group
tunnel-group 206.169.55.66 type ipsec-l2l
IPSec-attributes tunnel-group 206.169.55.66
pre-shared key *.
tunnel-group 159.87.64.30 type ipsec-l2l
IPSec-attributes tunnel-group 159.87.64.30
pre-shared key *.
!
class-map IPS_TRAFFIC
corresponds to the IPS_TRAFFIC access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
Review the ip options
class IPS_TRAFFIC
IPS inline help
!
global service-policy global_policy
field of context fast hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e70de424cf976e0a62b5668dc2284587
: end
ASDM image disk0: / asdm-645 - 206.bin
ASDM location 159.87.70.66 255.255.255.255 inside
ASDM location 208.65.144.0 255.255.248.0 inside
ASDM location 208.81.64.0 255.255.248.0 inside
ASDM location 172.16.10.0 255.255.255.0 inside
ASDM location 159.87.64.30 255.255.255.255 inside
don't allow no asdm historyAnyone have any ideas?
Hello
Please, add this line in your configuration and let me know if it works:
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0
I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.
Let me know if it helps.
Thank you
Vishnu
-
Cisco ASA Anyconnect LAN access problem
I have very simple network at home with the WAN IP address, ASA uses DHCP and gateway. plain of network of all no complications.
X.X.X.X like a WAN
192.168.1.0/24 as a LAN
IP Pool 192.168.6.0/24 (VPN Pool)
I am trying to configure AnyConnect (AC) so that I can connect remotely and get my resources on the LAN while out. I am to connect with AC and when you use split tunnel I'm browsing the web very well, but I have no access to the local network (without ICMP or TCP/UDP)
Route looks good in customer AC
unsecured network 0.0.0.0/0
secure network 192.168.1.0/24What I'm missing for LAN access?, nat statement, list of access...?
_____________________________
Output of the command: "show run".
: Saved
:
ASA Version 9.1 (5)
!
hostname asa01
domain name asanames of
192.168.6.2 mask - 192.168.6.100 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Outside description
nameif outside
security-level 0
IP address XXXX
!
interface Vlan5
nameif dmz
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
boot system Disk0: / asa915 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
domain naisus.local
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.6.0_25 object
subnet 192.168.6.0 255.255.255.128
object-group Protocol DM_INLINE_PROTOCOL_1
icmp protocol object
icmp6 protocol-object
outside_access_in list extended access permit icmp any any idle state
outside_access_in extended access list allow icmp6 all all idle state
outside_access_in_1 list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
list of access allowed standard LAN 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside 192.168.1.99
forest-hostdown operating permits
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.6.0_25 NETWORK_OBJ_192.168.6.0_25 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 X > X > X >
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = asa01, CN = 192.168.1.1
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 8b541b55
308201c 3 c 3082012 a0030201 0202048b 0d06092a 864886f7 0d 010105 541b 5530
XXXX
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 access remote trustpoint ASDM_Launcher_Access_TrustPoint_0
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 8.8.8.8 75.75.75.75 interface inside
dhcpd naisus.home area inside interface
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 50.116.56.17 source outdoors
NTP server 108.61.73.243 source outdoors
NTP server 208.75.89.4 prefer external source
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
Trust ASDM_Launcher_Access_TrustPoint_0 inside the vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 inside point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 regex 'Windows NT'
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 regex "Intel Mac OS X.
AnyConnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 regex "Linux".
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 30
VPN-idle-timeout 5
internal GroupPolicy_AC_Profile group strategy
attributes of Group Policy GroupPolicy_AC_Profile
WINS server no
4.2.2.2 DNS server value
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value LAN
naisus.local value by default-field
XX XX encrypted privilege 15 password username
name of user XX attributes
WebVPN
chip-tunnel tunnel-policy tunnelall
type tunnel-group AC_Profile remote access
attributes global-tunnel-group AC_Profile
address pool VPN-pool
Group Policy - by default-GroupPolicy_AC_Profile
tunnel-group AC_Profile webvpn-attributes
enable AC_Profile group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:xxx
: endI'm not positive that's causing the problem, but I noticed that you have defined incoherent poolside VPN as a 24 (in the command name and that name is associated with the tunnel group) and 25 (in the command object on the network that is also referenced in the statement of NAT exempting NAT to that object). True your pool assigns addresses from the lower half of the 24, but still...
I try to simplify things by using a single object for something like that, which is used in several places. With the help of objects the way they are intended, and which allows to avoid any discrepancies.
Maybe you are looking for
-
Problems of its Windows Vista on the Qosmio F30
Hello Ive recently installed windows vista on my Qosimio F30 and I have sound problems. Effects sound ok but speaking is really pretty and distort. I tried editing a new driver for him but he manages at the end and says driver not installed correctly
-
the HP pavilion a6567c bios error
Today, I installed the latest bios for my hp Pavilion. I followed the instructions but after I restarted it would give error 0x7B with which I figured out ways my bios is damaged. I would like to know if I can reinstall my bios or what I can do to fi
-
I have a code: 643 not allowing updates. There are 5 total updates that fail every time. What can I do about it? All 5 updates are net. Framework security updates. Can someone Please helpme?
-
Hello guys, I just bought a lenovo A2109 of a Chinese Web site. the Tablet works fine but the thing is I is not market google on this subject, only the Witch of lenovo is in chinease, and I can not install many Jules Destrooper on it. I want to chang
-
How to send when the access Internet (SES) provider does not provide an SMTP server?
Help! I just changed provider, to find that my new provider does not have a server address to use for outgoing e-mail. I am currently using Windows Live Mail on Windows 7. I don't seem to have any kind of Outlook on my computer. I have the suite Offi