Default route inside the tunnel VPN Site to site

We want to carry the default traffic within the site to site VPN tunnel, our goal is to route all traffic including default branch road and HO HO help branch for surfing the internet.

I have due to difficulties

1. cannot configure dynamic NAT for the router in the branch on the ASA HO, I know configuration for 8.2, but know not about 8.4

This is the configuration for the 8.2, if someone can translate to 8.4, which would be a great help

NAT (outside) 1 192.168.230.0

2. I do not know how to write the default route on the branch office router to send all traffic within the VPN tunnel

Hello

As I understand it then you want to route ALL traffic from the Remote Site to the Central Site and manage Internet traffic there.

I suppose you could define "interesting traffic" in configuring VPN L2L ACL / access-list in the following way

Branch router

extended IP access list

allow an ip

ASA central

ip access list allow one

The idea behind the type of ACL for the VPN L2L above configurations is that, for example, the branch office router has a rule that sets connection coming from the local LAN for 'any' destination address must be sent to the VPN L2L connection. So, it would be in such a way that all the traffic will be sent to the Central Site via VPN L2L.

I must say however, that the VPN router configurations side are not more familiar to me because I manage especially with ASA Firewall (and to some extent still PIX and FWSMs)

I guess that on the ASA Central you will PAT translation to "outside" so that the host can access the Internet?

You would probably do something like this

object-group network to REMOTE-SITE-PAT-SOURCE

network-object

interface of REMOTE-SITE-PAT-SOURCE dynamic NAT (outside, outside) after auto source

If you don't want to use the 'outside' IP address, then you will have to create a 'network of object' for address IP of PAT and use it in the line of NAT configuration above instead of "interface".

Alternate configuration might be

network of the REMOTE-SITE-PAT object

subnet

dynamic NAT interface (outdoors, outdoor)

You also need to enable

permit same-security-traffic intra-interface

To allow traffic to enter and exit the same interface on the ASA

All these answers are naturally suggestion on what you have to do. I don't know what kind of configurations you have right now.

Hope this helps in some way

-Jouni

Post edited by: Jouni Forss

Tags: Cisco Security

Similar Questions

How to restrict the tunnel VPN Site to site traffic thrue

Hello

I have a tunnel from site to site, where Site 1 is the local site and main site. and 2 the site is the remote site.

How to limit the traffic of site 2, so that they can only reach a few IPS on the lokal site.

But since the lokal site all IP addresses must be able to reach all of the IP addresses to site 2 (remotely).

an access list to the 'inside' interface does not work, since all the acl is bypassed for the interfaces for IPSEC traffic.

Then, I tried to make a political group where I only allow traffic to servers specifik, but site 2 can still reach everything on the lokal site.

Am I missing here?

Best regards

Erik

Hi Erik,

Unfortunately, the only options that we have are VPN filters that are two-way and disabling the sysopt feature.

If you have a core switch/router we can block traffic on this device by using the access list or null routes.

See you soon,.

Nash.

Bring up the tunnel vpn crypto without interesting traffic map

Is it possible on ASA to bring up the tunnel vpn site to site static crypto map without generating interesting traffic? I want to reverse route injection generate road dynamic until traffic begins to flow.

Roman,

Unless something chnaged recently RRI inserts routes without present SAs, meaning that they are static (in contrast to current default behavior on IOS 12.4 (9) T-I_think leave).

But to answer the question, in more recent versions, you can bring up the tunnel using packet - trace CLI.

M.

Edit: request for improvement that will present the same features of IPP on ASA as on IOS:

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCsx67450

Tunnel of Split VPN Setup ASA to force inside the tunnel for single address

Hi all

We have an ASA with IPSec VPN facility to addresses Internet of Tunnel from Split. We have an Internet address that must come from the external interface of the ASA. I have added this address to the list of split tunnel and confirmed on the client that is the road to the tunnel, but I'm not able to get to this address via the VPN.

How the ASA to allow this unique Internet address to come via the VPN and route back on the same interface to the Internet and the return traffic to back up in the client VPN tunnel.

I need to get to the address is 213.92.42.118. Here's the config relavent (let me know if I left anything):

interface GigabitEthernet0/0
nameif outside
IP 1.1.1.1 255.255.255.0
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
name 10.80.177.0 VPN_Pool
Outbound_Ports tcp service object-group
port-object eq www
access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
access-list extended users allow icmp a whole
access-list extended users enable a tcp
access-list extended users allow udp a whole
users_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
standard access list users_splitTunnelAcl allow 192.168.43.0 255.255.255.0
users_splitTunnelAcl list standard access allowed 192.168.40.0 255.255.255.0
users_splitTunnelAcl list standard access allowed host 213.92.42.118

FWOB list extended access permit tcp any any Outbound_Ports object-group

Global (LUXCVGASA01e) 2 1.1.1.1

NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0
NAT 0 access-list sheep (LUXCVGASA01i)

Any help is appreciated.

-Jeff

Hi Jeff,

Just had a chance to look through the Setup and I guess that configured nat is incorrect.

access-list extended sheep allowed any ip VPN_Pool 255.255.255.0
NAT 0 access-list sheep (LUXCVGASA01i)
NAT (LUXCVGASA01i) 2 10.0.0.0 255.0.0.0

Global (LUXCVGASA01e) 2 1.1.1.1

The access-list says sheep that ALL traffic goes to the pool of the VPN to go UN-natted. So, when you try to access the public ip address via the tunnel VPN, the traffic the ASA, ASA then performs a search destination NAT and matches the nat command "nat (LUXCVGASA01i) 0 access-list sheep." If the ASA detects a destination NAT translation, it will bypass route search and uses the destination NAT translation to determine the output interface (in this scenario, the output interface is LUXCVGASA01i.

So, to resolve this problem, change the acl sheep from "any to VPN_Pool 255.255.255.0" inside"to the network VPN_Pool 255.255.255.0.

clear xlate and re-initialization of the tunnel, and this should solve the problem.

Let me know if that answers your query.

Kind regards

Manisha masseur

Tunnel VPN site to Site with 2 routers Cisco 1921

Hi all

So OK, I'm stumped. I create much s2s vpn tunnels before, but this one I just can't go there. It's just a tunnel VPN Site to Site simple using pre-shared keys. I would appreciate it if someone could take a look at our configs for both routers running and provide a comment. This is the configuration for both routers running. Thank you!

Router 1

=======

Current configuration: 4009 bytes

!

! Last configuration change at 19:01:31 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRSJ host name

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

DHCP excluded-address 192.168.200.1 IP 192.168.200.110

DHCP excluded-address IP 192.168.200.200 192.168.200.255

!

IP dhcp POOL SJWHS pool

network 192.168.200.0 255.255.255.0

default router 192.168.200.1

10.10.2.1 DNS server 10.10.2.2

!

!

no ip domain search

IP-name 10.10.2.1 Server

IP-name 10.10.2.2 Server

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-236038042

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 236038042

revocation checking no

rsakeypair TP-self-signed-236038042

!

!

TP-self-signed-236038042 crypto pki certificate chain

certificate self-signed 01

30820241 308201AA A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

8B1E638A EC

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 112.221.44.18

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 112.221.44.18

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

192.168.200.1 IP address 255.255.255.0

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/1

Description wireless bridge

IP 172.17.1.2 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

Verizon DSL description for failover of VPN

IP 171.108.63.159 255.255.255.0

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

network 172.17.1.0 0.0.0.255

network 192.168.200.0

redistribute static

passive-interface GigabitEthernet0/0

passive-interface FastEthernet0/0/0

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 172.17.1.1

IP route 112.221.44.18 255.255.255.255 171.108.63.1

!

access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

=======

Router 2

=======

Current configuration: 3719 bytes

!

! Last configuration change at 18:52:54 UTC Wednesday, February 22, 2012 by asiuser

!

version 15.0

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

SJWHS-RTRHQ host name

!

boot-start-marker

boot-end-marker

!

logging buffered 1000000

!

No aaa new-model

!

!

!

!

No ipv6 cef

IP source-route

IP cef

!

!

!

!

no ip domain search

!

Authenticated MultiLink bundle-name Panel

!

!

Crypto pki trustpoint TP-self-signed-3490164941

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3490164941

revocation checking no

rsakeypair TP-self-signed-3490164941

!

!

TP-self-signed-3490164941 crypto pki certificate chain

certificate self-signed 01

30820243 308201AC A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

EA1455E2 F061AA

quit smoking

license udi pid xxxxxxxxxx sn CISCO1921/K9

!

!

!

redundancy

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key presharedkey address 171.108.63.159

!

86400 seconds, duration of life crypto ipsec security association

!

Crypto ipsec transform-set esp-3des esp-md5-hmac IPSecTransformSet1

!

map CryptoMap1 10 ipsec-isakmp crypto

defined by peer 171.108.63.159

game of transformation-IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

automatic duplex

automatic speed

!

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

IP 10.10.1.6 255.255.0.0

!

interface GigabitEthernet0/1

IP 172.17.1.1 255.255.255.0

automatic duplex

automatic speed

!

!

interface FastEthernet0/0/0

IP 112.221.44.18 255.255.255.248

automatic duplex

automatic speed

card crypto CryptoMap1

!

!

!

Router eigrp 88

Network 10.10.0.0 0.0.255.255

network 172.17.1.0 0.0.0.255

redistribute static

passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/0.1

!

IP forward-Protocol ND

!

no ip address of the http server

local IP http authentication

IP http secure server

!

IP route 0.0.0.0 0.0.0.0 112.221.44.17

!

access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

!

!

!

!

!

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line vty 0 4

exec-timeout 30 0

Synchronous recording

local connection

transport input telnet ssh

!

Scheduler allocate 20000 1000

end

When the GRE tunnel carries your traffic to private ip range, your ACL must contain address of the host of point to point the IPSec tunnel.

Since then, both routers are running EIGRP in the corporate network, let the EIGRP Exchange routes via GRE tunnel, which is a good practice, rather than push the ip ranges private individual through the IPSec tunnel.

Let me know, if that's what you want.

Thank you

How to install the VPN Client and the tunnel from site to site on Cisco 831

How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator? I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward. I could only put on the side of the hub. If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.

Thank you.

The dynamic map is called clientmap
The static map is called mymap

You should have:

no card crypto not outmap 10-isakmp ipsec dynamic dynmap
map mymap 10-isakmp ipsec crypto dynamic clientmap

interface Ethernet1
crypto mymap map

Federico.

Can not handle the ASA inside the interface of Site to Site VPN

Hi all

I was deploying new site to site between ASA 8.0 (HQ) and ASA 8.4 (branch). Everything works fine but I have a problem on the ASA-reach remote that I can't manage branch ASA with inside the interface IP address.

My setup on remote ASA

management-access inside

ICMP allow any inside

SSH 0.0.0.0 0.0.0.0 inside

SNMP-server host inside 10.0.1.101 communitry test-snmp version 2 c

My Test

-ping of the AC for inside the interface of remote ASA
- Client time-out see demand
- When debug icmp on ASA remote then ASA show only ICMP request to HQ no response back from remote ASA
I'm not sure whether it's a bug on ASA 8.4 or not because I can manage a remote other ASA what version 8.0 software HQ

Thanks in advance

Do not know what 8.4 version you use, but it is broken in the 8.4 (2), I stumbled upon the upgrade from same problem. SSH and ASDM will not connect through a VPN L2L interface inside. This worked well in 8.4 (1).

CSCtr16184

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

[email protected] / * /.

Command to check the tunnel VPN S2S awhile in the cisco router

Dear all,

Please share the command check S2S tunnel of time that is configured on the router.

There are commands that define the lifetimes of (his) IPSec Security Associations, ISAKMP.

For example:

crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600

life 3599 seconds crypto ipsec security association

... and you can determine the remaining lifetime for these SAs with the following commands:

SH detail session crypto

SH in detail its crypto isakmp

SH crypto ipsec his

The delta between the lifetime (s) configured and remaining life will tell you how much time has passed since the last regeneration, but that is as close you are likely to have to determine when the tunnel came first.

You could use other means as States of syslog for you say when a Tunnel is a transitioning upwards or downwards.

Best regards

Mike

% 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510

Hi friends,

I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.

Error in CISCO VPN Client software:

Secure VPN connection terminated locally by the client.

Reason: 414: unable to establish a TCP connection.

Error in CISCO ASA 5510

7-ASA-710005%: TCP request and eliminated from 49276 outward: 10000

The ASA configuration:

XYZ # sh run
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end

XYZ #.

Good news

Follow these steps:

network object obj - 172.30.10.0_24

172.30.10.0 subnet 255.255.255.0

!

the LOCAL_NETWORKS_VPN object-group network

object-network 1.1.1.0 255.255.255.0

!

NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search

* Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.

Keep me posted.

Thank you.

Please note all messages that will be useful.

Connectivity to the remote VPN site adjacent networks

Star topology with Corporate office which acts as hub (192.168.1.x) and remote sites connected by relay frames, except for another network (172.16.x.x) in the building served by 3560 switch company.

On my remote site vpn (10.0.1.x) I can ping network 172.16.x.x, but not the 192.168.1.x network. What I'm trying to do is to allow the network traffic remote 10.0.1.x (which connects directly via the VPN network 172.16.x.x) to reach the network 192.168.1.x and vice versa.

I'm sure its a combination of NAT/routing issue I forget.

I'm new to PIX / ASA in general and it's the first vpn L2L I install. If someone can point me in the right direction, I would appreciate it.

Thank you.

It looks like this?

10.0.1.x->-> Corp. ASA L2L tunnel - >->-> 192.168.1.x 3560 172.16.x.x

and that you can currently communicate via the tunnel between 10.0 and 172.16? In order to communicate between 10.0 and 192.168.1, you will need to define this interesting traffic and add it to your crypto and nat exemption acl.

Corp site

extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

extended access-list allow ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

NAT (inside) - 0 access list

Remote site

access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

access-list extended ip 10.0.1.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

NAT (inside) - 0 access list

Tunnel VPN Site to Site PIX

I'm having a terrible time linking two Site to Site VPN PIX. I don't spin all VPN Clients, nor will I in the future. When I start debugging on the VPN connection, it gives me this result:

Peer VPN: ISAKMP: approved new addition: ip:xxx.xxx.xxx.3 Total VPN peer: 1

Peer VPN: ISAKMP: ip:xxx.xxx.xxx.3 Ref cnt is incremented to peers: 1 Total peer VPN: 1

ISAKMP (0): early changes of Main Mode

crypto_isakmp_process_block: CBC xxx.xxx.xxx.3, dest xxx.xxx.xxx.246

Exchange OAK_MM

ISAKMP (0): treatment ITS payload. Message ID = 0

ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10

ISAKMP: DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): audit ISAKMP transform 1 against 20 priority policy

ISAKMP: DES-CBC encryption

ISAKMP: MD5 hash

ISAKMP: default group 2

ISAKMP: preshared auth

ISAKMP: type of life in seconds

ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

to return to the State is IKMP_NO_ERROR

crypto_isakmp_process_block: CBC xxx.xxx.xxx.3, dest xxx.xxx.xxx.246

Exchange OAK_MM

ISAKMP (0): processing KE payload. Message ID = 0

ISAKMP (0): processing NONCE payload. Message ID = 0

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): provider v6 code received xauth

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): Peer Remote supports dead peer detection

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): load useful treatment vendor id

ISAKMP (0): addressing another box of IOS!

ISAKMP (0): ID payload

next payload: 8

type: 1

Protocol: 17

Port: 500

Length: 8

ISAKMP (0): the total payload length: 12

to return to the State is IKMP_NO_ERROR

ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.

local (identity) = xxx.xxx.xxx.246, distance = xxx.xxx.xxx.3,

local_proxy = 192.168.0.0/255.255.255.0/0/0 (type = 4),

remote_proxy = 10.1.1.0/255.255.255.0/0/0 (type = 4)

ISAKMP (0): retransmission of phase 1...

ISAKMP (0): delete SA: src xxx.xxx.xxx.246 dst xxx.xxx.xxx.3

ISADB: Reaper checking HIS 0x814265e8, id_conn = 0 DELETE IT!

If I run an isakmp crypto see the his

Total: 1

Embryonic: 1

Src DST in the meantime created State

xxx.xxx.xxx.3 xxx.xxx.xxx.246 MM_KEY_EXCH 0 0

He won't let the State (other than to take down the tunnel) MM_KEY_EXCH. I'm positive 99% that correspond to public keys. Is there something else that could cause it to give the MM_KEY_EXCH message and do not create the tunnel? Public keys are case-sensitive? What is the message of "talking with another box of IOS"? Here is a copy of the configuration:

name 192.168.0.0 vpn

permit access ip 10.0.0.0 list inside_outbound_nat0_acl 255.0.0.0 255.255.0.0 vpn

permit access ip 10.0.0.0 list outside_cryptomap_20 255.0.0.0 255.255.0.0 vpn

NAT (inside) 0-list of access inside_outbound_nat0_acl

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

outside_map 20 ipsec-isakmp crypto map

card crypto outside_map 20 match address outside_cryptomap_20

card crypto outside_map 20 peers set xxx.xxx.xxx.246

outside_map card crypto 20 the transform-set ESP-DES-MD5 value

outside_map interface card crypto outside

ISAKMP allows outside

ISAKMP key * address xxx.xxx.xxx.246 netmask 255.255.255.255 No.-xauth-no-config-mode

part of pre authentication ISAKMP policy 20

encryption of ISAKMP policy 20

ISAKMP policy 20 md5 hash

20 2 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

Any help would be greatly appreciated.

Daryl,

You can post a new ISAKMP debug output. You can test the remote peer? Don't you see the on the ACL crypto access numbers? You will see the 'talk to another box of IOS' on output debugging because the two boxes are running IOS - this isn't a mistake!

Let me know-

Jay

The tunnel from site to Site - just traffic flowing in one direction.

Greetings to all,

I configured a (Site-to-Site) IPSec tunnel between an ASA5510 and Linux Sytem connection a network has with a and B network in the following way:

* Chart:

#---------------IPSec-----------------#

private network (A) - router Linux (GW1) - WAN-(GW2) ASA5510 - public network (B).

* Results:

I checked the IPSec Tunnel on the linux router and the Phase 1 and Phase 2 are on the RISE. ASDM also shows an IPSec connection with the correct settings (GW, LAN, left network etc.).

If I understand "show iskmp crypto his ', ' show crypto ikev1 his ' and ' show crypto ipsec his" also shows that the connection is correct and MORE.

* Now comes the interesting thing:

If I ping from network A to network B, the icmp echo request go thorugh the tunnel and I can see the Rx bytes on the cisco ASA pick-me-up.

If I ping from network to network B, I do not see any Tx Bytes on the Tunnel. The Linux router does not see also all packets through the tunnel.

When I ping from network to network B, the firewall logs ICMP denies. This means that traffic from B to A, I don't know why, is does not match the corresponding ACL of Tunnel, the icmp, packets are routed to the default gateway instead through the tunnel and they are then adapt a less specific rule droping on the main firewall.

* Configurations:

I specially configured Crypto card that corresponds to networks in both directions.

There is an ACL that allows traffic in both directions.

There is a NAT rules that allows traffic between the two networks without being coordinated, so that the two networks to pass freely through the tunnels.

* Ideas?

crypto card?

NAT?

ACL?

security at the level of the interface?

Thanks in advance.

Hey Gomez,

Please try the plotter command of package

CIP in icmp 8 0 detailed

the output of this command would show where the package is abandoned

Please send the output of the above command

HTH!

Concerning

Regnier

Tunnel VPN site to Site - aggressive Mode

I searched the community for answers to this and that you have not found quite what I was looking for (or what seems logical). I have an ASA 5510 to A site with one website VPN tunnel to a SonicWall to site B. Which works very well. I need to create a tunnel for site C to site a using a tunnel of aggressive mode. I'm not quite sure how to do this. Any suggestion would be great!

NOTE: I have included the parts of the running configuration that seem relevant to me. If I missed something please let me know.

ASA Version 8.2 (1)

interface Ethernet0/0

nameif outside

security-level 0

IP 1.2.3.4 255.255.255.248

!

10.5.2.0 IP Access-list extended site_B 255.255.255.0 allow 10.205.2.0 255.255.255.128

access extensive list ip 10.5.2.0 site_C allow 255.255.255.0 10.205.2.128 255.255.255.128

dynamic-access-policy-registration DfltAccessPolicy

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha1

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto VPN 30 card matches the address site_B

card crypto VPN 30 peer set 4.3.2.1

crypto VPN 30 the transform-set 3des-sha1 value card

card crypto VPN 40 corresponds to the address site_C

card crypto VPN. 40 set peer 8.7.6.5

crypto VPN. 40 the transform-set 3des-sha1 value card

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Crypto isakmp nat-traversal 30

crypto ISAKMP ipsec-over-tcp port 10000

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

tunnel-group 4.3.2.1 type ipsec-l2l

4.3.2.1 tunnel-group ipsec-attributes

pre-shared-key *.

tunnel-group 8.7.6.5 type ipsec-l2l

IPSec-attributes tunnel-group 8.7.6.5

pre-shared-key *.

David,

Please try this:

clear crypto ipsec its peer site_c_IP

clear configure VPN 40 crypto card

card crypto VPN 10 corresponds to the address site_C

card crypto VPN 10 set peer 8.7.6.5

crypto VPN 10 the transform-set 3des-sha1 value card

debug logging in buffered memory

capture drop all circular asp type

capture capin interface inside the match ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

After generating the traffic and INTERNAL of the machine behind the ASA:

view Journal | 10.205.2 Inc.

See the fall of cap. 10.205.2 Inc.

view Cape capin

In case it does not work:

(a) show the crypto classic table ASP.

(b) details of vpn-framework for table ASP.

(c) show cry its site_c peer ipsec

(d) entry packet - trace within the icmp 10.5.2.15 8 0 10.205.2.130 detail

(e) see the crypto ipsec his

At the same time, please.

Let me know how it goes.

Thank you

Portu.

Please note all useful posts

Default route change in tunnel

I have a Cisco ASA 5510, which provides routing functions and an acts as a virtual private network. I'm trying to configure the VPN so that customers route all their traffic through the default gateway provided by the ASA. It is a split tunnel configuration, but when clients connect, they always seem to use their old default gateway to route traffic. I tried a few different things and I'm sure it's due to the static route entry by default in the configuration:

Route outside 0.0.0.0 0.0.0.0 69.12.252.209 1

I think I changed to the tunnel. However, when I try to do either from the CLI or the ASA ADSM hangs for 30 minutes and won't do anything (including road traffic).

It is the straight line config which is causing the problem? No idea why I can't edit it?

Hi Tim,.

If you want to send all traffic to the VPN clients to reach the ASA for a different default gateway, you must set the tunnel on the command line option

Now that I can understand you use split tunnel and what you are looking for is to send all traffic to the ASA vpn clients and then make a u-turn and use the same default gateway of the SAA.

To do this, you must do the following:

1. take the configuration of tunnel of splitting the group policy that you want to encrypt and send all traffic from VPN clients through the tunnel of the ASA, then from this place outside using the same gateway as ASA.

Permit even enable 2-security-traffic intra-interface to allow traffic to turn around

3 configure a Nat rule (outside, outside) from the pool of the VPN client to the external interface of the ASA

Example of the nat using 8.3

network of the VPN_POOL object

10.0.0.0 subnet 255.255.255.0

output

interface NAT (outside, outside) dynamic source VPN_POOL

Who must make the man!

Concerning

Julio

Tunnel VPN site to Site with DDNS

I have a hub site that has a static ip address and a remote site with DDNS. I am building a Site to Site tunnel between them, I can do this with the static ip address, but when he changes the tunnel breaks down, so I need a way to the ASA to know when this ip address changes. How can I do this?

Thank you

To my knowledge, DDNS for VPN is supported only on router IOS not on ASA.

If you use ASA on the head of network, you may need to use EasyVPN

http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080912cfd.shtml

EasyVPN VPN must be started from the remote site.

Default route inside the tunnel VPN Site to site

Similar Questions

Maybe you are looking for