Client VPN und Cisco asa 5505 tunnel work but no traffic

Hi all

I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

I have the following problem:

I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

What I did wrong. Could someone let me know what I have to do today.

With hope for your help Dimitri.

ASA configuration after reset and basic configuration: works to the Internet from within the course.

: Saved

: Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

!

ASA Version 8.2 (2)

!

ciscoasa hostname

activate 2KFQnbNIdI.2KYOU encrypted password

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE client vpdn group home

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system Disk0: / asa822 - k8.bin

passive FTP mode

clock timezone THATS 1

clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

DNS domain-lookup outside

DNS server-group DefaultDNS

Server name 194.25.0.60

Server name 194.25.0.68

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

inside_access_in list extended access deny ip any any debug log

inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-625 - 53.bin

ASDM location 192.168.0.0 255.255.0.0 inside

ASDM location 192.168.10.0 255.255.255.0 inside

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group home request dialout pppoe

VPDN group House localname 04152886790

VPDN group House ppp authentication PAP

VPDN username 04152886790 password 1

dhcpd outside auto_config

!

dhcpd address 192.168.1.5 - 192.168.1.36 inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

TFTP server 192.168.1.5 inside c:/tftp-root

WebVPN

Group Policy inner residential group

attributes of the strategy of group home group

value of 192.168.1.1 DNS server

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list homegroup_splitTunnelAcl

username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

user01 username attributes

VPN-strategy group home group

tunnel-group home group type remote access

attributes global-tunnel-group home group

address homepool pool

Group Policy - by default-homegroup

tunnel-group group residential ipsec-attributes

pre-shared-key ciscotest

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

: end

Hello

Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

If you connect via VPN, check the following:

1. the tunnel is established:

HS cry isa his

Must say QM_IDLE or MM_ACTIVE

2 traffic is flowing (encrypted/decrypted):

HS cry ips its

3. Enter the command:

management-access inside

And check if you can PING the inside ASA VPN client IP.

4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

Federico.

Tags: Cisco Security

Similar Questions

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • AnyConnect VPN for Cisco ASA 5505 refused connections

    I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

    interface Vlan2
    mac-address xxxx.xxxx.xxxx
    nameif outside
    security-level 0
    ip address A.A.A.A 255.255.255.240
    !
    access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
    access-list outside_access_in extended permit tcp any host C.C.C.C eq https
    access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
    access-list outside_access_in extended permit tcp any host C.C.C.D eq https
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
    access-list outside_access_in extended permit tcp any host C.C.C.D eq www
    access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
    access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
    access-list outside_access_in extended permit gre any host C.C.C.C
    access-list outside_access_out extended permit ip any any
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit ip any interface outside
    access-list inside_access_out extended permit ip any any

    access-group inside_access_in in interface inside
    access-group inside_access_out out interface inside
    access-group outside_access_in in interface outside
    access-group outside_access_out out interface outside

    webvpn
    enable inside
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc enable

    group-policy DfltGrpPolicy attributes
    dns-server value X.X.X.X
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value
    address-pools value palm
    webvpn
      svc rekey time 30
      svc rekey method ssl
      svc ask enable default webvpn

    policy-map global_policy
    class inspection_default
      inspect pptp
      inspect http
      inspect icmp
      inspect ftp
    !

    When I try to connect, I get this error in the real-time log viewer:

    TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

    Here are the details of the license:

    Licensed features for this platform:
    Maximum Physical Interfaces  : 8
    VLANs                        : 3, DMZ Restricted
    Inside Hosts                 : Unlimited
    Failover                     : Disabled
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    SSL VPN Peers                : 2
    Total VPN Peers              : 10
    Dual ISPs                    : Disabled
    VLAN Trunk Ports             : 0
    Shared License               : Disabled
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    AnyConnect Essentials        : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions      : 2
    Total UC Proxy Sessions      : 2
    Botnet Traffic Filter        : Disabled

    This platform has a Base license.

    Can someone tell me what I am doing wrong or what access list I'm missing?

    I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

    Hi Matt,

    You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

    WebVPN

    tunnel-group-list activate

    Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

    HTH

    Herbert

  • Remote IPSec VPN - client Windows 7 and ASA 5505

    Hello

    I'm having trouble with configuring IPSec VPN with Cisco ASA 5505 and Windows 7 client native VPN remotely. My client PC Gets the VPN IP pool address and can access a remote network behind ASA, but then I lose my internet connection. I read that this should be a problem with the split tunneling, but I did as it says here and no luck.

    Windows VPN Client settings, if I uncheck "use default gateway on remote network" I have an internet connection (given that the customer is using a local gateway), but then I can't ping remote network.

    In the log, I see the warnings of this type:

    TCP connection of disassembly 256 for outside:192.168.150.1/49562 to outside:213.199.181.90/80 duration 0: 00:00 0 stream bytes is a loopback (cisco)

    I have attached my configuration file (without configuring split tunneling, I tried). If you need additional newspapers, I'll send them right away.

    Thank you for your help.

    Petar Koraca

    That's what you would have needed on versions 8.3 and earlier versions:

    permit same-security-traffic intra-interface

    Global 1 interface (outside)

    NAT (outside) 1 192.168.150.0 255.255.255.0

    However I see that you are running 8.4 so I think that all you need is this (I never did on 8.4 so it may not be accurate)

    permit same-security-traffic intra-interface

    network of the NETWORK_OBJ_192.168.150.0_24 object

    dynamic NAT interface (outdoors, outdoor)

    Give it a shot and let me know how it goes.

  • Cisco asa 5505 and centos VPN server connection

    Hi all

    Please I want to set up a VPN between Cisco asa 5505 and centos server.

    Here's my senerio

    -------------------------

    ASA 5505

    Public IP 155.155.155.2

    Local NETWORK: 192.168.6.X

    CentOS Server

    ------------------

    Public ip address: 155.155.155.6

    Thank you guys

    Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

    If the remote access, here are the sample configuration:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

  • Cisco ASA 5505 site for multiple subnet of the site.

    Hello. I need help to configure my cisco asa 5505.

    I set up a VPN between two ASA 5505 tunnel

    Site 1:

    Subnet 192.168.77.0

    Site 2:

    Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

    What I need help:

    Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

    And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

    Vlan480 is used for phones. In vlan480, we have a PABX.

    Is this possible to do?

    Any help would be much appreciated!

    Config site 2:

    : Saved

    :

    ASA Version 7.2 (2)

    !

    ciscoasa hostname

    domain default.domain.invalid

    activate the password encrypted x

    names of

    name 192.168.1.250 DomeneServer

    name of 192.168.1.10 NotesServer

    name 192.168.1.90 Steadyily

    name 192.168.1.97 TerminalServer

    name 192.168.1.98 eyeshare w8

    name 192.168.50.10 w8-print

    name 192.168.1.94 w8 - app

    name 192.168.1.89 FonnaFlyMedia

    !

    interface Vlan1

    nameif Vlan1

    security-level 100

    IP 192.168.200.100 255.255.255.0

    OSPF cost 10

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP address 79.x.x.226 255.255.255.224

    OSPF cost 10

    !

    interface Vlan400

    nameif vlan400

    security-level 100

    IP 192.168.1.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan450

    nameif Vlan450

    security-level 100

    IP 192.168.210.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan460

    nameif Vlan460-SuldalHotell

    security-level 100

    IP 192.168.2.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan461

    nameif Vlan461-SuldalHotellGjest

    security-level 100

    address 192.168.3.1 IP 255.255.255.0

    OSPF cost 10

    !

    interface Vlan462

    Vlan462-Suldalsposten nameif

    security-level 100

    192.168.4.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Vlan470

    nameif vlan470-Kyrkjekontoret

    security-level 100

    IP 192.168.202.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan480

    nameif vlan480 Telefoni

    security-level 100

    address 192.168.20.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan490

    nameif Vlan490-QNapBackup

    security-level 100

    IP 192.168.10.1 255.255.255.0

    OSPF cost 10

    !

    interface Vlan500

    nameif Vlan500-HellandBadlands

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Vlan510

    Vlan510-IsTak nameif

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Vlan600

    nameif Vlan600-SafeQ

    security-level 100

    192.168.50.1 IP address 255.255.255.0

    OSPF cost 10

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    switchport access vlan 500

    switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

    switchport mode trunk

    !

    interface Ethernet0/3

    switchport access vlan 490

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passwd encrypted x

    passive FTP mode

    clock timezone WAT 1

    DNS server-group DefaultDNS

    domain default.domain.invalid

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    Lotus_Notes_Utgaaande tcp service object-group

    UT og Frim Notes Description til alle

    area of port-object eq

    port-object eq ftp

    port-object eq www

    EQ object of the https port

    port-object eq lotusnotes

    EQ Port pop3 object

    EQ pptp Port object

    EQ smtp port object

    Lotus_Notes_inn tcp service object-group

    Description of the inn og alle til Notes

    port-object eq www

    port-object eq lotusnotes

    EQ Port pop3 object

    EQ smtp port object

    object-group service Reisebyraa tcp - udp

    3702 3702 object-port Beach

    5500 5500 object-port Beach

    range of object-port 9876 9876

    object-group service Remote_Desktop tcp - udp

    Description Tilgang til Remote Desktop

    3389 3389 port-object range

    object-group service Sand_Servicenter_50000 tcp - udp

    Description program tilgang til sand service AS

    object-port range 50000 50000

    VNC_Remote_Admin tcp service object-group

    Description Fra ¥ oss til alle

    5900 5900 port-object range

    object-group service Printer_Accept tcp - udp

    9100 9100 port-object range

    port-object eq echo

    ICMP-type of object-group Echo_Ping

    echo ICMP-object

    response to echo ICMP-object

    object-group service Print tcp

    9100 9100 port-object range

    FTP_NADA tcp service object-group

    Suldalsposten NADA tilgang description

    port-object eq ftp

    port-object eq ftp - data

    Telefonsentral tcp service object-group

    Hoftun description

    port-object eq ftp

    port-object eq ftp - data

    port-object eq www

    EQ object of the https port

    port-object eq telnet

    Printer_inn_800 tcp service object-group

    Fra 800 thought-out og inn til 400 port 7777 description

    range of object-port 7777 7777

    Suldalsposten tcp service object-group

    Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

    EQ Port pop3 object

    EQ smtp port object

    http2 tcp service object-group

    Beach of port-object 81 81

    object-group service DMZ_FTP_PASSIVE tcp - udp

    55536 56559 object-port Beach

    object-group service DMZ_FTP tcp - udp

    20 21 object-port Beach

    object-group service DMZ_HTTPS tcp - udp

    Beach of port-object 443 443

    object-group service DMZ_HTTP tcp - udp

    8080 8080 port-object range

    DNS_Query tcp service object-group

    of domain object from the beach

    object-group service DUETT_SQL_PORT tcp - udp

    Description for a mellom andre og duett Server nett

    54659 54659 object-port Beach

    outside_access_in of access allowed any ip an extended list

    outside_access_out of access allowed any ip an extended list

    vlan400_access_in list extended access deny ip any host 149.20.56.34

    vlan400_access_in list extended access deny ip any host 149.20.56.32

    vlan400_access_in of access allowed any ip an extended list

    Vlan450_access_in list extended access deny ip any host 149.20.56.34

    Vlan450_access_in list extended access deny ip any host 149.20.56.32

    Vlan450_access_in of access allowed any ip an extended list

    Vlan460_access_in list extended access deny ip any host 149.20.56.34

    Vlan460_access_in list extended access deny ip any host 149.20.56.32

    Vlan460_access_in of access allowed any ip an extended list

    vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

    vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

    vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

    vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

    vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

    vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

    vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

    vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

    vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

    vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

    vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

    vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

    vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

    Vlan500_access_in list extended access deny ip any host 149.20.56.34

    Vlan500_access_in list extended access deny ip any host 149.20.56.32

    Vlan500_access_in of access allowed any ip an extended list

    vlan470_access_in list extended access deny ip any host 149.20.56.34

    vlan470_access_in list extended access deny ip any host 149.20.56.32

    vlan470_access_in of access allowed any ip an extended list

    Vlan490_access_in list extended access deny ip any host 149.20.56.34

    Vlan490_access_in list extended access deny ip any host 149.20.56.32

    Vlan490_access_in of access allowed any ip an extended list

    Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

    Vlan1_access_out of access allowed any ip an extended list

    Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

    Vlan1_access_out deny ip extended access list a whole

    Vlan1_access_out list extended access permit icmp any any echo response

    Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

    Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

    Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

    Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

    Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

    Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

    Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

    vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

    vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

    Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

    vlan480_access_out of access allowed any ip an extended list

    Vlan510_access_in of access allowed any ip an extended list

    Vlan600_access_in of access allowed any ip an extended list

    Vlan600_access_out list extended access permit icmp any one

    Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

    Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

    Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

    Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

    Vlan600_access_in_1 of access allowed any ip an extended list

    Vlan461_access_in of access allowed any ip an extended list

    Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

    vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

    outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

    outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

    access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

    access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

    access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

    access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

    pager lines 24

    Enable logging

    asdm of logging of information

    MTU 1500 Vlan1

    Outside 1500 MTU

    vlan400 MTU 1500

    MTU 1500 Vlan450

    MTU 1500 Vlan460-SuldalHotell

    MTU 1500 Vlan461-SuldalHotellGjest

    vlan470-Kyrkjekontoret MTU 1500

    MTU 1500 vlan480-Telefoni

    MTU 1500 Vlan490-QNapBackup

    MTU 1500 Vlan500-HellandBadlands

    MTU 1500 Vlan510-IsTak

    MTU 1500 Vlan600-SafeQ

    MTU 1500 Vlan462-Suldalsposten

    no failover

    Monitor-interface Vlan1

    interface of the monitor to the outside

    the interface of the monitor vlan400

    the interface of the monitor Vlan450

    the interface of the Vlan460-SuldalHotell monitor

    the interface of the Vlan461-SuldalHotellGjest monitor

    the interface of the vlan470-Kyrkjekontoret monitor

    Monitor-interface vlan480-Telefoni

    the interface of the Vlan490-QNapBackup monitor

    the interface of the Vlan500-HellandBadlands monitor

    Monitor-interface Vlan510-IsTak

    Monitor-interface Vlan600-SafeQ

    the interface of the monitor Vlan462-Suldalsposten

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 522.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    vlan400_nat0_outbound (vlan400) NAT 0 access list

    NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

    NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

    NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

    NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

    NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

    NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

    NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

    NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

    NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

    NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

    static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

    static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

    static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

    static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

    static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

    static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

    static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

    static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

    static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

    static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

    (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

    (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

    static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

    static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

    static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

    static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

    static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

    static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

    Access-group interface Vlan1 Vlan1_access_out

    Access-group outside_access_in in interface outside

    Access-group outside_access_out outside interface

    Access-group vlan400_access_in in the vlan400 interface

    vlan400_access_out group access to the interface vlan400

    Access-group Vlan450_access_in in the Vlan450 interface

    Access-group interface Vlan450 Vlan450_access_out

    Access-group interface Vlan460-SuldalHotell Vlan460_access_in

    Access-group interface Vlan460-SuldalHotell Vlan460_access_out

    Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

    Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

    Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

    vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

    access to the interface vlan480-Telefoni, vlan480_access_out group

    Access-group interface Vlan490-QNapBackup Vlan490_access_in

    Access-group interface Vlan490-QNapBackup Vlan490_access_out

    Access-group interface Vlan500-HellandBadlands Vlan500_access_in

    Access-group interface Vlan500-HellandBadlands Vlan500_access_out

    Access-group interface Vlan510-IsTak Vlan510_access_in

    Access-group interface Vlan510-IsTak Vlan510_access_out

    Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

    Access-group Vlan600_access_out interface Vlan600-SafeQ

    Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

    Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

    Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout, uauth 0:05:00 absolute

    x x encrypted privilege 15 password username

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.210.0 255.255.255.0 Vlan450

    http 192.168.200.0 255.255.255.0 Vlan1

    http 192.168.1.0 255.255.255.0 vlan400

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    card crypto outside_map 20 match address outside_20_cryptomap_1

    card crypto outside_map 20 set pfs

    peer set card crypto outside_map 20 62.92.159.137

    outside_map crypto 20 card value transform-set ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    ISAKMP crypto enable vlan400

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 62.92.159.137 type ipsec-l2l

    IPSec-attributes tunnel-group 62.92.159.137

    pre-shared-key *.

    Telnet 192.168.200.0 255.255.255.0 Vlan1

    Telnet 192.168.1.0 255.255.255.0 vlan400

    Telnet timeout 5

    SSH 171.68.225.216 255.255.255.255 outside

    SSH timeout 5

    Console timeout 0

    dhcpd update dns both

    !

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

    !

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

    !

    dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

    dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

    dhcpd option 3 ip 192.168.1.1 interface vlan400

    vlan400 enable dhcpd

    !

    dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

    dhcpd ip interface 192.168.210.1 option 3 Vlan450

    enable Vlan450 dhcpd

    !

    dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

    dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

    dhcpd enable Vlan460-SuldalHotell

    !

    dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

    dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

    dhcpd enable Vlan461-SuldalHotellGjest

    !

    dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

    interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

    dhcpd enable vlan470-Kyrkjekontoret

    !

    dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

    !

    dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

    dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

    !

    dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

    dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

    dhcpd enable Vlan500-HellandBadlands

    !

    dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

    dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

    Vlan510-IsTak enable dhcpd

    !

    dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

    dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

    Vlan600-SafeQ enable dhcpd

    !

    dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

    interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

    interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

    Vlan462-Suldalsposten enable dhcpd

    !

    !

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    !

    context of prompt hostname

    Cryptochecksum:x

    : end

    Site 1 config:

    : Saved

    :

    ASA Version 7.2 (4)

    !

    ciscoasa hostname

    domain default.domain.invalid

    activate the password encrypted x

    passwd encrypted x

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.77.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    PPPoE Telenor customer vpdn group

    IP address pppoe setroute

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    switchport access vlan 15

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passive FTP mode

    DNS server-group DefaultDNS

    domain default.domain.invalid

    outside_access_in list extended access permit icmp any any disable log echo-reply

    access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

    access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

    pager lines 24

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 524.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1 0.0.0.0 0.0.0.0

    Access-group outside_access_in in interface outside

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    Enable http server

    http 192.168.77.0 255.255.255.0 inside

    http 192.168.1.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs

    peer set card crypto outside_map 1 79.160.252.226

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet 192.168.77.0 255.255.255.0 inside

    Telnet timeout 5

    SSH timeout 5

    Console timeout 0

    VPDN group Telenor request dialout pppoe

    VPDN group Telenor localname x

    VPDN group Telenor ppp authentication chap

    VPDN x x local store password username

    dhcpd outside auto_config

    !

    dhcpd address 192.168.77.100 - 192.168.77.130 inside

    dhcpd dns 192.168.77.1 on the inside interface

    dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

    dhcpd allow inside

    !

    dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

    !

    tunnel-group 79.160.252.226 type ipsec-l2l

    IPSec-attributes tunnel-group 79.160.252.226

    pre-shared-key *.

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:x

    : end

    Hello

    The addition of a new network to the existing VPN L2L should be a fairly simple process.

    Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

    Looking at your configurations above it would appear that you need to the following configurations

    SITE 1

    • We add the new network at the same time the crypto ACL and ACL NAT0

    access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

    access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

    SITE 2

    • We add new ACL crypto network
    • We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration

    outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

    Comment by VLAN480-NAT0 NAT0 for VPN access-list

    access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

    NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

    These configurations should pretty much do the trick.

    Let me know if it worked

    -Jouni

  • Failover on Cisco ASA 5505 with EasyVPN

    Hello

    I've implemented a customer EasyVPN with a Cisco ASA 5505 and I am trying to configure the failover but I get this message:

    "Failover cannot be configured as Cisco Easy VPN remote is activated."

    However, I have seen in the link below, this dynamic rollover is compatible with the easy standard (and not with improved but I don't think I use easyVPN improved).

    http://www.Cisco.com/c/en/us/products/collateral/security/iOS-easy-VPN/e...

    The configuration I did through ASDM is very simple:

    vpnclient server * * *.
    vpnclient-mode client mode
    vpngroup vpnclient * password *.
    vpnclient username * password *.
    vpnclient enable

    My question is how can I implement failover with a client on a Cisco ASA 5505 EasyVPN?

    Thanks in advance

    You cannot configure the failover of a device that acts as a client

  • CISCO ASA 5505 no cisco VPN Client

    Hello

    I'm looking for after a firewall Cisco ASA 5505 and want to watch all the owners of it with remote access in but none of us have a support contract with Cisco.

    Is it possible to set up a VPN client not as Microsoft built the client to connect to the ASA?

    Thank you

    Alamb200

    Hello

    Looking for a PPTP on ASA connection?

    The following document provides the following:

    ASA q support PPTP client?

    A. number of the

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#supportfeat

    But we can configure ASA to allow the PPTP connection:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your request is answered. Note the useful messages.

  • Cisco ASA 5505 VPN Site to Site

    Hi all

    First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

    I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

    Please see details below:

    Two ADMS are 7.1

    IOS

    ASA 1

    Nadia

    :

    ASA Version 9.0 (1)

    !

    hostname PAYBACK

    activate the encrypted password of HSMurh79NVmatjY0

    volatile xlate deny tcp any4 any4

    volatile xlate deny tcp any4 any6

    volatile xlate deny tcp any6 any4

    volatile xlate deny tcp any6 any6

    volatile xlate deny udp any4 any4 eq field

    volatile xlate deny udp any4 any6 eq field

    volatile xlate deny udp any6 any4 eq field

    volatile xlate deny udp any6 any6 eq field

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    link Trunk Description of SW1

    switchport trunk allowed vlan 1,10,20,30,40

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 92.51.193.158 255.255.255.252

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan20

    nameif servers

    security-level 100

    address 192.168.20.1 255.255.255.0

    !

    Vlan30 interface

    nameif printers

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan40

    nameif wireless

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    !

    connection line banner welcome to the Payback loyalty systems

    boot system Disk0: / asa901 - k8.bin

    passive FTP mode

    summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    domain-lookup DNS servers

    DNS lookup domain printers

    DNS domain-lookup wireless

    DNS server-group DefaultDNS

    Server name 83.147.160.2

    Server name 83.147.160.130

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    ftp_server network object

    network of the Internal_Report_Server object

    Home 192.168.20.21

    Description address internal automated report server

    network of the Report_Server object

    Home 89.234.126.9

    Description of server automated reports

    service object RDP

    service destination tcp 3389 eq

    Description RDP to the server

    network of the Host_QA_Server object

    Home 89.234.126.10

    Description QA host external address

    network of the Internal_Host_QA object

    Home 192.168.20.22

    host of computer virtual Description for QA

    network of the Internal_QA_Web_Server object

    Home 192.168.20.23

    Description Web Server in the QA environment

    network of the Web_Server_QA_VM object

    Home 89.234.126.11

    Server Web Description in the QA environment

    service object SQL_Server

    destination eq 1433 tcp service

    network of the Demo_Server object

    Home 89.234.126.12

    Description server set up for the product demo

    network of the Internal_Demo_Server object

    Home 192.168.20.24

    Internal description of the demo server IP address

    network of the NETWORK_OBJ_192.168.20.0_24 object

    subnet 192.168.20.0 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_26 object

    255.255.255.192 subnet 192.168.50.0

    network of the NETWORK_OBJ_192.168.0.0_16 object

    Subnet 192.168.0.0 255.255.0.0

    service object MSSQL

    destination eq 1434 tcp service

    MSSQL port description

    VPN network object

    192.168.50.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_24 object

    192.168.50.0 subnet 255.255.255.0

    service object TS

    tcp destination eq 4400 service

    service of the TS_Return object

    tcp source eq 4400 service

    network of the External_QA_3 object

    Home 89.234.126.13

    network of the Internal_QA_3 object

    Home 192.168.20.25

    network of the Dev_WebServer object

    Home 192.168.20.27

    network of the External_Dev_Web object

    Home 89.234.126.14

    network of the CIX_Subnet object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_84.39.233.50 object

    Home 84.39.233.50

    network of the NETWORK_OBJ_92.51.193.158 object

    Home 92.51.193.158

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    the tcp destination eq ftp service object

    the purpose of the tcp destination eq netbios-ssn service

    the purpose of the tcp destination eq smtp service

    service-object TS

    the Payback_Internal object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    service-object TS

    service-object, object TS_Return

    object-group service DM_INLINE_SERVICE_4

    service-object RDP

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    object-group service DM_INLINE_SERVICE_5

    purpose purpose of the MSSQL service

    service-object RDP

    service-object TS

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service DM_INLINE_SERVICE_6

    service-object TS

    service-object, object TS_Return

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    Note to outside_access_in to access list that this rule allows Internet the interal server.

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-list of FTP access

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list of SMTP access

    Note to outside_access_in to access list Net Bios

    Comment from outside_access_in-SQL access list

    Comment from outside_access_in-list to access TS - 4400

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

    access host access-list outside_access_in note rule internal QA

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

    Notice on the outside_access_in of the access-list access to the internal Web server:

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

    Note to outside_access_in to access list rule allowing access to the demo server

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list to access MSSQL

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

    Note to outside_access_in access to the development Web server access list

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

    AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

    AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

    Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

    permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

    pager lines 24

    Enable logging

    information recording console

    asdm of logging of information

    address record

    [email protected] / * /.

    the journaling recipient

    [email protected] / * /.

    level alerts

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 servers

    MTU 1500 printers

    MTU 1500 wireless

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-711 - 52.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (wireless, outdoors) source Dynamics one interface

    NAT (servers, outside) no matter what source dynamic interface

    NAT (servers, external) static source Internal_Report_Server Report_Server

    NAT (servers, external) static source Internal_Host_QA Host_QA_Server

    NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

    NAT (servers, external) static source Internal_Demo_Server Demo_Server

    NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    NAT (servers, external) static source Internal_QA_3 External_QA_3

    NAT (servers, external) static source Dev_WebServer External_Dev_Web

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 84.39.233.50
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    Crypto ikev2 activate out of service the customer port 443
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 192.168.10.0 255.255.255.0 inside
    SSH 192.168.40.0 255.255.255.0 wireless
    SSH timeout 5
    Console timeout 0

    dhcpd 192.168.0.1 dns
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.21 - 192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    paybackloyalty.com dhcpd option 15 inside ascii interface
    dhcpd allow inside
    !
    dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
    dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
    dhcpd update dns of the wireless interface
    dhcpd option 15 ascii paybackloyalty.com wireless interface
    dhcpd activate wireless
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal Payback_VPN group strategy
    attributes of Group Policy Payback_VPN
    VPN - 10 concurrent connections
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
    attributes of Group Policy DfltGrpPolicy
    value of 83.147.160.2 DNS server 83.147.160.130
    VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
    internal GroupPolicy_84.39.233.50 group strategy
    attributes of Group Policy GroupPolicy_84.39.233.50
    VPN-tunnel-Protocol ikev1, ikev2
    Noelle XB/IpvYaATP.2QYm username encrypted password
    Noelle username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
    Éanna attributes username
    VPN-group-policy Payback_VPN
    type of remote access service
    Michael qpbleUqUEchRrgQX of encrypted password username
    user name Michael attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
    user name Danny attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
    user name Aileen attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
    Aidan username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    shane.c iqGMoWOnfO6YKXbw encrypted password username
    username shane.c attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Shane uYePLcrFadO9pBZx of encrypted password username
    user name Shane attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, encrypted James TdYPv1pvld/hPM0d password
    user name James attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Mark yruxpddqfyNb.qFn of encrypted password username
    user name brand attributes
    type of service admin
    username password of Mary XND5FTEiyu1L1zFD encrypted
    user name Mary attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
    Massimo username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    type tunnel-group Payback_VPN remote access
    attributes global-tunnel-group Payback_VPN
    VPN1 address pool
    Group Policy - by default-Payback_VPN
    IPSec-attributes tunnel-group Payback_VPN
    IKEv1 pre-shared-key *.
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 General-attributes
    Group - default policy - GroupPolicy_84.39.233.50
    IPSec-attributes tunnel-group 84.39.233.50
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    Global class-card class
    match default-inspection-traffic
    !
    !
    World-Policy policy-map
    Global category
    inspect the dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the pptp
    inspect the rsh
    inspect the rtsp
    inspect the sip
    inspect the snmp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    inspect the icmp error
    inspect the icmp
    !
    service-policy-international policy global
    192.168.20.21 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

    ASA 2

    ASA Version 9.0 (1)

    !

    Payback-CIX hostname

    activate the encrypted password of HSMurh79NVmatjY0

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    Description this port connects to the local network VIRTUAL 100

    switchport access vlan 100

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    switchport access vlan 100

    !

    interface Ethernet0/4

    switchport access vlan 100

    !

    interface Ethernet0/5

    switchport access vlan 100

    !

    interface Ethernet0/6

    switchport access vlan 100

    !

    interface Ethernet0/7

    switchport access vlan 100

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 84.39.233.50 255.255.255.240

    !

    interface Vlan100

    nameif inside

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    banner welcome to Payback loyalty - CIX connection line

    passive FTP mode

    summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group defaultDNS

    Name-Server 8.8.8.8

    Server name 8.8.4.4

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the host-CIX-1 object

    host 192.168.100.2

    Description This is the VM server host machine

    network object host-External_CIX-1

    Home 84.39.233.51

    Description This is the external IP address of the server the server VM host

    service object RDP

    source between 1-65535 destination eq 3389 tcp service

    network of the Payback_Office object

    Home 92.51.193.158

    service object MSQL

    destination eq 1433 tcp service

    network of the Development_OLTP object

    Home 192.168.100.10

    Description for Eiresoft VM

    network of the External_Development_OLTP object

    Home 84.39.233.52

    Description This is the external IP address for the virtual machine for Eiresoft

    network of the Eiresoft object

    Home 146.66.160.70

    Contractor s/n description

    network of the External_TMC_Web object

    Home 84.39.233.53

    Description Public address to the TMC Web server

    network of the TMC_Webserver object

    Home 192.168.100.19

    Internal description address TMC Webserver

    network of the External_TMC_OLTP object

    Home 84.39.233.54

    External targets OLTP IP description

    network of the TMC_OLTP object

    Home 192.168.100.18

    description of the interal target IP address

    network of the External_OLTP_Failover object

    Home 84.39.233.55

    IP failover of the OLTP Public description

    network of the OLTP_Failover object

    Home 192.168.100.60

    Server failover OLTP description

    network of the servers object

    subnet 192.168.20.0 255.255.255.0

    being Wired network

    192.168.10.0 subnet 255.255.255.0

    the subject wireless network

    192.168.40.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the Eiresoft_2nd object

    Home 137.117.217.29

    Description 2nd Eiresoft IP

    network of the Dev_Test_Webserver object

    Home 192.168.100.12

    Description address internal to the Test Server Web Dev

    network of the External_Dev_Test_Webserver object

    Home 84.39.233.56

    Description This is the PB Dev Test Webserver

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_2

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_3

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_4

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_5

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_6

    service-object MSQL

    service-object RDP

    the Payback_Intrernal object-group network

    object-network servers

    Wired network-object

    wireless network object

    object-group service DM_INLINE_SERVICE_7

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_8

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_9

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_10

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_11

    service-object RDP

    the tcp destination eq ftp service object

    outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

    Note to access list OLTP Development Office of recovery outside_access_in

    outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

    Comment from outside_access_in-access Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

    Note to outside_access_in access to OLTP for target recovery Office Access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

    Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

    outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

    Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

    outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

    Note to outside_access_in access from the 2nd IP Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

    outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

    NAT (inside, outside) static source Development_OLTP External_Development_OLTP

    NAT (inside, outside) static source TMC_Webserver External_TMC_Web

    NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

    NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

    NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    Enable http server

    http 92.51.193.156 255.255.255.252 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 92.51.193.158
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 92.51.193.156 255.255.255.252 outside
    SSH timeout 5
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal GroupPolicy_92.51.193.158 group strategy
    attributes of Group Policy GroupPolicy_92.51.193.158
    VPN-tunnel-Protocol ikev1, ikev2
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 General-attributes
    Group - default policy - GroupPolicy_92.51.193.158
    IPSec-attributes tunnel-group 92.51.193.158
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hello

    There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

    All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

    Here are a few suggestions on what to change

    ASA1

    Minimal changes

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    being REMOTE-LAN network

    255.255.255.0 subnet 192.168.100.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

    Other suggestions

    These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

    PAT-SOURCE network object-group

    source networks internal PAT Description

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    no nat (wireless, outdoors) source Dynamics one interface

    no nat (servers, outside) no matter what source dynamic interface

    The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

    Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

    network of the SERVERS object

    subnet 192.168.20.0 255.255.255.0

    network of the VPN-POOL object

    192.168.50.0 subnet 255.255.255.0

    NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

    no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    ASA2

    Minimal changes

    the object of the LAN network

    255.255.255.0 subnet 192.168.100.0

    being REMOTE-LAN network

    192.168.10.0 subnet 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM.

    Other suggestions

    PAT-SOURCE network object-group

    object-network 192.168.100.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

    Hope this makes any sense and has helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

  • Cisco ASA 5505 VPN passthrough

    Hello

    @home i'f installed a Cisco asa 5505 because the provider has the modem cable in transparent mode. So I have the public IP address to my firewall.

    Also for the training because we have in the work of the asa. So I have no feeling with her.

    but sometimes I have to build a VPN session to a server at work. But I do not get a connection to the server. If I remove the ASA 5505, then the connection to the server of work is great. But if to ASA 5505 is back in its place. It does not log VPN to the outside world.

    Could someone point me in the right direction?

    It is possible to create a connection out to the Cisco ASA5505 VPN.

    Thanks in advance

    Greetings

    Palermo

    Hi Palermo,

    You do not have to mention the type of VPN connection, you use.

    If the PPTP protocol then you need to inspect the traffic for the SAA allow again from 'outside '. Try the following:

     ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect pptp ! service-policy global_policy global !

    see you soon,

    SEB.

  • What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

    Hi all

    Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

    You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

    Michael

    Please note all useful posts

  • Cisco Asa 5505 and level 3 with remote access VPN switch

    Today I had a new CISCO LAYER 3 switch... So here's my scenrio

    Cisco Asa 5505

    I have

    Outside of the == 155.155.155.x

    Inside = 192.168.7.1

    Address POOL VPN = 10.10.10.1 - 10.10.10.20

    3 layer switch configuration

    VLAN 2

    ip address of the interface = 192.168.1.1

    VLAN 2

    ip address of the interface = 192.168.2.1

    VLAN 2

    ip address of 192.168.3.1 = interface

    VLAN 2

    ip address of the interface = 192.168.4.1

    VLAN 2

    ip address of the interface = 192.168.5.1

    IP Routing

    So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

    Thanks to you all

    Al ready has responded

    Sent by Cisco Support technique iPad App

  • Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?

    n00b questions.

    I have to renew my SSL certificate of identity soon on my Cisco ASA 5505.  I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?

    Hi dsartoros,

    If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".

    If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • View of the horizon 3.5.0 and ThinApp v4.7 with Cisco ASA Smart Tunnel 9.3.3

    Hello

    The problem:

    Our technology smart tunnel doesn't seem to be forward traffic to our new customer from the view.  I wonder what kind of configuration changes must be considered to enable such a connection.  The error returned when searching for the host name goes in the direction of the hostname not found.  Error finding of intellectual property is related to the time-out.

    Background information and specifications:

    We are in the process of upgrading our servers from 5.2 to 6.2 connection.  As part of the upgrade, we want to improve our customers for the Horizon to use version 3.5.0.  To make it easier on vendors and remote computers we prefer also to our Horizon View Client with ThinApp 4.7.3 ThinApp.  We currently have a Cisco ASA, supporting a SSL VPN portal with "Smart Tunnel" technology.  The ASA is currently on firmware 9.3.3 in production, but we have access to version 9.5 in test.

    Preferred connection scenario:

    User > PC > VMware View Client (ThinApp would be) > Cisco ASA Smart Tunnel > view connection server > Virtual Office

    .exe running on the client to view ThinApp:

    It seems the ThinApp Client version view is only launching VMware - view.exe.

    .exe running from the customer view full/thickness:

    VMware - view.exe

    -ftnlsv.exe

    -vmwsprrdpwks.exe

    -ftscanmgr.exe

    There is something else to consider when the view client configuration ThinApp or thickness to work with Cisco SSL VPN Portal and the Smart Tunnel?  We should have ports configured in the client in connection with the same view Firewall works with SSL VPN Portal port redirector functionality.

    We have not been able to find any documentation on how to properly configure the smart to work with the New Horizon 3.5.2 client Tunnel.  A ticket of troubleshooting with Cisco suggests that the Smart Tunnel feature still perhaps not compatible with this new Horizon (thin or thick) client.  Currently, we are looking at other options because it is not not clear whether Cisco will be able to get us the confirmation or offer a solution without delay of our project to upgrade.  Maybe stick to the previous VMware View Client version 5.4.0 which we know work with Smart Tunnel in some situations and with the redirector port for others.

  • VPN IPSec passthrough ASA 5505 (v9.2.4) - connected but no access

    Hello

    Here's my situation:

    I am trying to connect a client IPSec VPN via an ASA 5505 to an other ASA 5505. In fact, I can make the connection to the VPN but all accesses are blocked (ping or IP access).

    When I use a router ISP directly or at home, I have no problem (ping and IP access follow the firewall rules). Connection and access are allowed.

    Schema:

    I have attached both the configuration for this post

    I've recently updated 8.2.5 ASA 8.4.6 and 9.2.4. An another ASA 5505 v8.2.5 works well in both way (via ASA VPN connection) and the VPN through ASA1 this ASA.

    I have tried many solution to solve the problem (nat/ipsec static inspection), but I failed to solve it. I tried to see asp in ASA1 drop, but I was right to drop only "nat-xlate-failed".

    Thanks for your help because I'm going crazy...

    Olivier,

    PS: Sorry for my English...

    Hi Olivier,.

    Could enable you icmp on the ASA inspection?

    Use this command and check:

    fixup protocol icmp

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

Maybe you are looking for