Documentation for cisco asa ipsec l2tp / windows 7

Similar Questions

• It is recommended to have a vulnerability for Cisco ASA device scan.

  Dear everybody.

  I have a doubt about the analysis of vulnerabilities for Cisco ASA device. Currently we have a vulnerability to network devices include firewalls. But after race for cisco ASA vulnerability scanning, found nothing in the analysis report.

  Is it is recommended to have a Cisco ASA vulnerability scanning and it will defeat the purpose of the firewall?

  I do not understand you ask you can set the ASA to allow an external user, run an analysis on the internal network?

  If so the answer is generally no. The ASA, by default, not allow incoming connections (or attempts of connections) that are not explicitly allowed in a list of inbound access (applied to the external interface). In most cases there should also be (NAT) network address translation rules configured.

  If you had a remote access VPN, you can allow external scanner to connect through that, then they would have the necessary access to analyze internal systems (assuming that allowed VPN access to all internal networks)

• AnyConnect VPN for Cisco ASA 5505 refused connections

  I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

  interface Vlan2
  
      mac-address xxxx.xxxx.xxxx
  
      nameif outside
  
      security-level 0
  
      ip address A.A.A.A 255.255.255.240
  
      !
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq www
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
  
      access-list outside_access_in extended permit icmp any any
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
  
      access-list outside_access_in extended permit gre any host C.C.C.C
  
      access-list outside_access_out extended permit ip any any
  
      access-list inside_access_in extended permit ip any any
  
      access-list inside_access_in extended permit ip any interface outside
  
      access-list inside_access_out extended permit ip any any
  access-group inside_access_in in interface inside
  
      access-group inside_access_out out interface inside
  
      access-group outside_access_in in interface outside
  
      access-group outside_access_out out interface outside
  webvpn
  
      enable inside
  
      enable outside
  
      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  
      svc enable
  group-policy DfltGrpPolicy attributes
  
      dns-server value X.X.X.X
  
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value
  
      address-pools value palm
  
      webvpn
  
        svc rekey time 30
  
        svc rekey method ssl
  
        svc ask enable default webvpn
  policy-map global_policy
  
      class inspection_default
  
        inspect pptp
  
        inspect http
  
        inspect icmp
  
        inspect ftp
  
      !
  

  When I try to connect, I get this error in the real-time log viewer:

  TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
  

  Here are the details of the license:

  Licensed features for this platform:
  
      Maximum Physical Interfaces  : 8
  
      VLANs                        : 3, DMZ Restricted
  
      Inside Hosts                 : Unlimited
  
      Failover                     : Disabled
  
      VPN-DES                      : Enabled
  
      VPN-3DES-AES                 : Enabled
  
      SSL VPN Peers                : 2
  
      Total VPN Peers              : 10
  
      Dual ISPs                    : Disabled
  
      VLAN Trunk Ports             : 0
  
      Shared License               : Disabled
  
      AnyConnect for Mobile        : Disabled
  
      AnyConnect for Linksys phone : Disabled
  
      AnyConnect Essentials        : Disabled
  
      Advanced Endpoint Assessment : Disabled
  
      UC Phone Proxy Sessions      : 2
  
      Total UC Proxy Sessions      : 2
  
      Botnet Traffic Filter        : Disabled
  This platform has a Base license.
  

  Can someone tell me what I am doing wrong or what access list I'm missing?

  I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

  Hi Matt,

  You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

  WebVPN

  tunnel-group-list activate

  Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

  HTH

  Herbert

• License problem of security context for Cisco ASA 5585

  Hello

  Can someone help me in license number for the ASA 5585 security environment,

  We recently purchased a box ASA (5585) which has 2 default security context and we had like to have context for this ASA 25 permit and we got two codes PAK of Cisco for 20 licenses and 5 respectively.

  When we generate the license key by combining the two codes Portal Cisco PAK and apply the same on ASA, do not see the 25; Instead, it shows only 20.

  Is it really possible to stack context like 20 + 5 licenses or to buy a PAK code for any license 25 context?

  Please advise me on this.

  Thanks in advance!

  Kind regards

  Kam

  Hello

  This should probably not be handled with Cisco directly or through the company that got you the license.

  To my knowledge, there is a possibility that the you have everything first to install a license key and the other licence could be upgraded from the previous license until the following limit of function under license.

  I had several occasions where I was provided with the wrong license and had to communicate with Cisco/provider to get licenses appropriate for my device.

  While I was announcing this response I checked the document of licensing for ASA models. It seems to me that there is no security content license 25 for the SAA. The deadline is 20 and license of SC 50 SC

  Check this document:

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/intro_license.html#wp1230400

  -Jouni

• Cisco ASA IPSEC from the understanding of a site to tunnel auth using certificates

  assuming that my company and another company (BBT) attempt to set up a tunnel to a site by using certificates. lets say we have asa 5520 s and have agreed to use says that our certification authority.

  On my end, I do registration certificate using SCEP Protocol and suggests that the end BBT is set up exactly the same way.

  First, I generate a pair of keys RSA - Im assuming that it is key to my ASA public private for the encryption and decryption-(pls correct me if wrong Im)

  Then I set up a trustpoint to registration certificate (in this case, it will be Server CA Entrust). I will set up my full domain name and the parameters of CRL.

  Then, I get a certificate of the AC CA. This package contains a fingerprint of the certificate which is loaded on my ASA. apparently - the fingerprint of the certificate is used by the 'end' entity to authenticate the received CA certificate. Why would the final entity to authenticate a CA certificate that has already been installed on this subject?
  In other words, what really does this print? Surely this cant be the same footprint that GETS installed on the BBT ASA?

  Finally, I request and install a certificate of identity. It asks for a password? I believe that it is used in case I want to make changes to the certificate, such as the revocation of the certificate. (Once again, please correct me if wrong Im)

  a few additional questions

  during the phase of authentication isakmp how my asa verifies that the certificate that the ASA BBT sent was indeed signed by the certification authority approved. How exactly?

  My ASA and ASA BBT must trust the same CA. In other words, it must be set up the same trustpoints?
  or can I have to entrust CA server as a trustpoint and verisign?

  How the certificate authentication process works since the ASA receives valuable traffic through the exchange of encrypted data?

  1 million thanks!

  Hello west33637,

  You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

  I would try to separate your questions and see if I can answer.  I will speak without using the SCEP Protocol because it adds a layer of complexity that can be confusing.

  (Q) Comment can I get a certificate?

  1 generate a RSA key pair.  A pair of RSA keys as you indicate has a public and private key.  Public and private keys are large number created by multiplying the other prime number (very simple explanation).  These keys are used for encryption simple control.  The private key is kept private and never awarded.  The public key is provided for everyone through the certificate received from the device.

  Data encrypted by the public key can only be decrypted by the private key and vice versa.

  more details here: http://en.wikipedia.org/wiki/RSA

  2. we create a trustpoint (container to configure and set parameters in the certificate).  In the trustpoint that we associate the RSA key pair, give a name (usually the FQDN of the server that will present this certificate), configure if certificates that are authenticated by the trustpoint must also be checked in the LCR... etc.

  3. then we can create CSR using the crypto ca enroll command.  Now, we take this REA and provide it to Entrust.  If this is done via the SCEP protocol you would have already done the next step of the authentication of the trustpoint.

  4. When you receive a certificate from a third party, such as Entrust, they should also provide the certificate chain that allows the authentication of the certificate that they have signed all the way upward at the root (self-signed certificate server, the certificate must already be approved by most of the systems of operation/web-browsers).  We want to install the string in the ASA because the ASA does not trust any certificate by default, it has an empty certificate store.

  5. on the SAA, we now install the string provided by Entrust.  Usually your identification certificate will be signed by an intermediate CA, just like the certificate of supportforums.cisco.com.  Trustpoint ASA system for a CA (root or intermediate) and an ID (identity) by trustpoint.  So we will probably have at least a trustpoint more.

  Crypto ca trustpoint Entrust_ROOT

  Terminal registration

  output

  authenticate the crypto ca trustpoint Entrust_ROOT

  Don't forget to use trustpoint names who will lead them to you and your organization.  Create a trustpoint for each of the CA certificates except for the signer of the certificate direct to your ID.  Authenticate the signer directly in the trustpoint even where you install your certificate ID.

  the import of crypto ca trustpoint ID certificate.

  You should now have a fully usable authenticated certificate.  PKCS12 import require a certificate to decrypt the private key that is stored in a PKCS12.  But if you generate your CSR on the same device that when you install the certificate, then it would not need to export PKCS12 and a password.

  ---

  A small side is not on the signature, a signature of certificate (fingerprint), also known as the name of a digital signature is a hash of the certificate encrypted with the signer's private key.  As we know, whatever it is encrypted with a key only can be decrypted by the public key... all those who approves the signer's public key.  So when you receive the certificate, and you already trust the signer, then 1) to decrypt the signature and 2) check that your certificate hash table corresponds to the decrypted hash... If the decrypted hash does not match then you do not trust the certificate.

  For example, you can watch the certificate for supportforums.cisco.com,

  The topic is: CN = supportforums.cisco.com

  The subject of sender (signatory) is CN = Akamai subordinate CA 3

  Akamai subordinate CA 3 is an intermediate certification authority.  It is not self-signed

  CN = Akamai subordinate CA 3 issuer is CN = GTE CyberTrust Global Root

  CN = GTE CyberTrust Global Root is a certificate root (Self signed).

  We would like to install this entire chain in the ASA so that we can provide this certificate and chain to any device and safely as long as this device trusts CN = GTE CyberTrust Global Root, then it should be able to verify the signatures of the intermediary and, finally, our certificate of identity of us trust.

  ---

  Looking for another post to do a quick discussion about how the certificate is used in ISAKMP and IPSec.

  Kind regards
  Craig

• Updates for Cisco ASA

  What are the steps to enable to Qualys do a scan an ASA5505 IDS/IPS?

  What are the steps to apply the update on an ASA5505 during the "Cisco PIX invalid TCP Checksum back vulnerability"?

  What the patch for CVE-2014-8730?

  You ASA has no IPS module, so there is no need to do something special to enable a scan from Qualys IDS/IPS.

  Your ASA software is very old - like 8-1/2 years. The currently recommended for this model version is 9.1 (7).

  You must first upgrade to 8.4 (6) then to 9.1 (7). This is stated in the Release Notes which have a link to a detailed guide.

  SMARTnet support for a single ASA 5505 is only US $71 for a year. This material includes software and support of TAC. Part number "CON-SNT-AS5K8" applies and can be purchased by any authorized Cisco distributor or partner.

• Can someone give me details and difficulty regarding the vulnerability of traumatic psychosis for Cisco ASA version 5?

  We have experienced frm, our compliance team that we run in traumatic psychosis wanted vulnerabity so know the fix and document...

  Hi James,

  We have a PSIRT filed regarding the vulnerability of traumatic psychosis, please see details below:

  CSCur00511    Evaluation of the ACS for CVE-2014-6271 and CVE-2014-7169

  https://Tools.Cisco.com/bugsearch/bug/CSCur00511/?reffering_site=dumpcr

  Here is the information of fixed code to various versions:

  Fixed code:
  Patch for CSCur00511 of the DDT is ready and available on CCO.
  The patch is included in all update rollups version 5.4.0.46.7/5.5.0.46.6/5.6.0.22.1 and later. We recommend that you download the latest cumulative patches.

  Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
  Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.4 / 5.4.0.46.0

  Patch file name: 5-4-0-46 -.tar.gpg
  Read me and displays instructions: Acs-5-4-0-46--Readme.txt

  Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
  Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.5 / 5.5.0.46

  Patch file name: 5-5-0-46 -.tar.gpg
  Read me and displays instructions: Acs-5-5-0-46--Readme.txt

  Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
  Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.6 / 5.6.0.22

  Patch file name: 5-6-0-22 -.tar.gpg
  Read me and displays instructions: Acs-5-6-0-22--Readme.txt

  Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
  Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.3 / 5.3.0.40

  Patch file name: 5-3-0-40 -.tar.gpg
  Read me and displays instructions: Acs-53 - Readme.txt

  Kind regards

  Tushar Bénard

  Please evaluate the post if you find it useful!

• How to set up the ASDM/HTTP access for Cisco ASA firewall

  Hi all

  I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)

  Anyone would be abe to advise on a guide / Solution.

  Thank you very much

  If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command

  ASA-32-22 (config) # aaa authentication http console?

  set up the mode commands/options:

  LOCAL server predefined Protocol AAA 'local' tag

  Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group

  authentication

  After the console you needd to defind the name of the AD server you have configured on the SAA.

  You can do the same thing by using ASDM:

  

  Change LOCAL to the announcement that there are listed.

  I hope that answers your question.

  Thank you

  Jeet Kumar

• Cisco asa 5505 and centos VPN server connection

  Hi all

  Please I want to set up a VPN between Cisco asa 5505 and centos server.

  Here's my senerio

  -------------------------

  ASA 5505

  Public IP 155.155.155.2

  Local NETWORK: 192.168.6.X

  CentOS Server

  ------------------

  Public ip address: 155.155.155.6

  Thank you guys

  Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

  If the remote access, here are the sample configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

• Cisco VPN Client and Windows XP VPN Client IPSec to ASA

  I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

  PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

  Config is:

  !

  interface GigabitEthernet0/2.30

  Description remote access

  VLAN 30

  nameif remote access

  security-level 0

  IP 85.*. *. 1 255.255.255.0

  !

  access-list 110 scope ip allow a whole

  NAT list extended access permit tcp any host 10.254.17.10 eq ssh

  NAT list extended access permit tcp any host 10.254.17.26 eq ssh

  access-list extended ip allowed any one sheep

  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

  flow-export destination inside-Bct 192.168.1.27 9996

  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

  ARP timeout 14400

  global (outside-Baku) 1 interface

  global (outside-Ganja) interface 2

  NAT (inside-Bct) 0 access-list sheep-vpn

  NAT (inside-Bct) 1 access list nat

  NAT (inside-Bct) 2-nat-ganja access list

  Access-group rdp on interface outside-Ganja

  !

  Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto ipsec transform-set newset aes - esp esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

  Crypto ipsec transform-set vpnclienttrans transport mode

  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

  life crypto ipsec security association seconds 214748364

  Crypto ipsec kilobytes of life security-association 214748364

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

  card crypto interface for remote access vpnclientmap

  crypto isakmp identity address

  ISAKMP crypto enable vpntest

  ISAKMP crypto enable outside-Baku

  ISAKMP crypto enable outside-Ganja

  crypto ISAKMP enable remote access

  ISAKMP crypto enable Interior-Bct

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  No vpn-addr-assign aaa

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.192 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside Baku

  SSH 10.254.17.18 255.255.255.255 outside Baku

  SSH 10.254.17.10 255.255.255.255 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside-Ganja

  SSH 10.254.17.18 255.255.255.255 outside-Ganja

  SSH 10.254.17.10 255.255.255.255 outside-Ganja

  SSH 192.168.1.0 255.255.255.192 Interior-Bct

  internal vpn group policy

  attributes of vpn group policy

  value of DNS-server 192.168.1.3

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  BCT.AZ value by default-field

  attributes global-tunnel-group DefaultRAGroup

  raccess address pool

  Group-RADIUS authentication server

  Group Policy - by default-vpn

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  Hello

  For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

  Please see configuration below:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  or

  http://tinyurl.com/5t67hd

  Please see the section of tunnel-group config of the SAA.

  There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

  So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

  Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

  "crypto isakmp nat-traversal.

  Thirdly, change the transformation of the value

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  Let me know the result.

  Thank you

  Gilbert

• Problem with the VPN site to site for the two cisco asa 5505

  Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

  Cisco Config asa1

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 172.xxx.xx.4 255.255.240.0
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.60.2 255.255.255.0
  !
  passive FTP mode
  network of the Lan_Outside object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
  network of the Lan_Outside object
  NAT (inside, outside) interface dynamic dns
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.60.0 255.255.255.0 inside
  http 96.xx.xx.222 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 96.88.75.222
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  inside access management

  dhcpd address 192.168.60.50 - 192.168.60.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_96.xx.xx.222 group strategy
  attributes of Group Policy GroupPolicy_96.xx.xx.222
  VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 96.xx.xx.222 type ipsec-l2l
  tunnel-group 96.xx.xx.222 General-attributes
  Group - default policy - GroupPolicy_96.xx.xx.222
  96.XX.XX.222 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error

  ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  Cisco ASA 2 config

  interface Ethernet0/0
  switchport access vlan 1
  !
  interface Ethernet0/1
  switchport access vlan 2
  !
  interface Vlan1
  nameif outside
  security-level 0
  IP address 96.xx.xx.222 255.255.255.248
  !
  interface Vlan2
  nameif inside
  security-level 100
  IP 192.168.1.254 255.255.255.0
  !
  passive FTP mode
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  network of the Lan_Outside object
  subnet 192.168.1.0 255.255.255.0
  network of the NETWORK_OBJ_192.168.60.0_24 object
  192.168.60.0 subnet 255.255.255.0
  network of the NETWORK_OBJ_192.168.1.0_24 object
  subnet 192.168.1.0 255.255.255.0
  object-group Protocol DM_INLINE_PROTOCOL_1
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_2
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_3
  ip protocol object
  icmp protocol object
  object-group Protocol DM_INLINE_PROTOCOL_4
  ip protocol object
  icmp protocol object
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
  Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
  Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
  Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
  pager lines 24
  Enable logging
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
  !
  network of the Lan_Outside object
  dynamic NAT (all, outside) interface
  Access-group Outside_access_in in interface outside
  Inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  AAA authentication http LOCAL console
  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 172.xxx.xx.4 255.255.255.255 outside
  No snmp server location
  No snmp Server contact
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec ikev2 ipsec-proposal OF
  encryption protocol esp
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 proposal ipsec 3DES
  Esp 3des encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES
  Esp aes encryption protocol
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 ipsec-proposal AES192
  Protocol esp encryption aes-192
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec ikev2 AES256 ipsec-proposal
  Protocol esp encryption aes-256
  Esp integrity sha - 1, md5 Protocol
  Crypto ipsec pmtu aging infinite - the security association
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap
  card crypto Outside_map 1 set peer 172.110.74.4
  card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
  Outside_map interface card crypto outside
  trustpool crypto ca policy
  IKEv2 crypto policy 1
  aes-256 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 10
  aes-192 encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 20
  aes encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 30
  3des encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  IKEv2 crypto policy 40
  the Encryption
  integrity sha
  Group 2 of 5
  FRP sha
  second life 86400
  Crypto ikev2 allow outside
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  authentication crack
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 20
  authentication rsa - sig
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 30
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 40
  authentication crack
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 50
  authentication rsa - sig
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 60
  preshared authentication
  aes-192 encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 70
  authentication crack
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 80
  authentication rsa - sig
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 90
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 100
  authentication crack
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 110
  authentication rsa - sig
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 120
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 130
  authentication crack
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 140
  authentication rsa - sig
  the Encryption
  sha hash
  Group 2
  life 86400
  IKEv1 crypto policy 150
  preshared authentication
  the Encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH timeout 5
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0

  dhcpd address 192.168.1.50 - 192.168.1.100 inside
  dhcpd allow inside
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  AnyConnect essentials
  internal GroupPolicy_172.xxx.xx.4 group strategy
  attributes of Group Policy GroupPolicy_172.xxx.xx.4
  L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
  username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
  tunnel-group 172.xxx.xx.4 type ipsec-l2l
  tunnel-group 172.xxx.xx.4 General-attributes
  Group - default policy - GroupPolicy_172.xxx.xx.4
  172.xxx.XX.4 group of tunnel ipsec-attributes
  IKEv1 pre-shared-key *.
  remote control-IKEv2 pre-shared-key authentication *.
  pre-shared-key authentication local IKEv2 *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  inspect the icmp error
  inspect the http

  For IKEv2 configuration: (example config, you can change to encryption, group,...)

  -You must add the declaration of exemption nat (see previous answer).

  -set your encryption domain ACLs:

  access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

  -Set the Phase 1:

  Crypto ikev2 allow outside
  IKEv2 crypto policy 10
  3des encryption
  the sha md5 integrity
  Group 5
  FRP sha
  second life 86400

  -Set the Phase 2:

  Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
  Esp aes encryption protocol
  Esp integrity sha-1 protocol

  -set the Group of tunnel

  tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
  REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
  IKEv2 authentication remote pre-shared-key cisco123

  
  IKEv2 authentication local pre-shared-key cisco123

  -Define the encryption card

  address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
  card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
  card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
  CRYPTOMAP interface card crypto outside
  crypto isakmp identity address

  On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

  Thank you

• License of IPSec Cisco ASA

  Dear all,

  I want to know how much maximum IPSec connection allowed in my Cisco ASA 5505.

  I want to try VPN L2TP Mac and PC

  TQ

  The devices allowed for this platform:
  The maximum physical Interfaces: 8 perpetual
  VLAN: 20 unrestricted DMZ
  Double ISP: Activated perpetual
  VLAN Trunk Ports: 8 perpetual
  Guests of the Interior: perpetual unlimited
  Failover: Active / standby perpetual
  Encryption - A: enabled perpetual
  AES-3DES-Encryption: activated perpetual
  AnyConnect Premium peer: 25 perpetual
  AnyConnect Essentials: 25 perpetual
  Counterparts in other VPNS: 25 perpetual
  Total VPN counterparts: 25 perpetual
  Shared license: activated perpetual
  AnyConnect for Mobile: activated perpetual
  AnyConnect VPN phone Cisco: activated perpetual
  Assessment of Advanced endpoint: activated perpetual
  Proxy UC phone sessions: 24 perpetual
  Proxy total UC sessions: 24 perpetual
  Botnet traffic filter: activated perpetual
  Intercompany Media Engine: Disabled perpetual
  Cluster: Disabled perpetual

  With this device you can have 25 concurrent VPN sessions, regardless of the type.

• Cisco ASA 5505 VPN L2TP cannot access the internal network

  Hello

  I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

  Can you jhelp me to find the problem?

  I have Cisco ASA:

  within the network - 192.168.1.0

  VPN - 192.168.168.0 network

  I have the router to 192.168.1.2 and I cannot ping or access this router.

  Here is my config:

  ASA Version 8.4 (3)

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP 198.X.X.A 255.255.255.248

  !

  passive FTP mode

  permit same-security-traffic intra-interface

  the net-all purpose network

  subnet 0.0.0.0 0.0.0.0

  network vpn_local object

  192.168.168.0 subnet 255.255.255.0

  network inside_nw object

  subnet 192.168.1.0 255.255.255.0

  outside_access_in list extended access permit icmp any any echo response

  outside_access_in list extended access deny ip any any newspaper

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  NAT dynamic interface of net-all source (indoor, outdoor)

  NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

  NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

  !

  network vpn_local object

  dynamic NAT interface (outdoors, outdoor)

  network inside_nw object

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

  Timeout xlate 03:00

  Pat-xlate timeout 0:00:30

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  identity of the user by default-domain LOCAL

  AAA authentication enable LOCAL console

  the ssh LOCAL console AAA authentication

  AAA authentication http LOCAL console

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

  IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

  transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

  Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

  card crypto 20-isakmp ipsec vpn Dynamics dyno

  vpn outside crypto map interface

  Crypto isakmp nat-traversal 3600

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH timeout 30

  Console timeout 0

  management-access inside

  dhcpd address 192.168.1.5 - 192.168.1.132 inside

  dhcpd dns 75.75.75.75 76.76.76.76 interface inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal sales_policy group policy

  attributes of the strategy of group sales_policy

  Server DNS 75.75.75.75 value 76.76.76.76

  Protocol-tunnel-VPN l2tp ipsec

  user name-

  user name-

  attributes global-tunnel-group DefaultRAGroup

  address sales_addresses pool

  Group Policy - by default-sales_policy

  IPSec-attributes tunnel-group DefaultRAGroup

  IKEv1 pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

  : end

  Thanks for your help.

  You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

  Policy-map global_policy

  class inspection_default

  inspect the icmp

  --

  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• ASA SHA256 integrity for proposal of IPSEC IKEV2

  Hi team,

  I tried to configure SHA256 integrity for IPSEC IKEV2 and SHA256 proposal wasn't available, the version that we run is 9.0 (3). The model of the SAA is 5540 (Legacy). Could someone please help us identify if the same support in the firewall of the inheritance if we improve the IOS in 9.1 (6) as this is the last version available for the box.

  ASA(config-IPSec-Proposal) # integrity Protocol esp?

  Options/IPSec proposal mode controls:

  MD5 md5 hash value

  set null null of hash

  SHA-1 hash sha-1 game

  Thank you

  Vishnu

  Hay he...

  Book 3: Cisco ASA series VPN CLI Configuration Guide, 9.1 - IPSec and ISAKMP - creating a Configuration of Basic IPsec configuration -Note at the end of step 2:

  HA - 256... can also be used for the protection of the ESP integrity on the new platforms ASA (and not 5505, 5510, 5520, 5540 and 5550).

  Given that Cisco has announced the date of end of life for these older platforms

• IPSEC not Pkts on Cisco ASA

  Hi, please I need a help.

  I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.

  But I could not send pkts on this VPN.

  My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network

  ==========================

  FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
  address of the peers: 177.154.83.34
  Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20

  access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
  local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
  Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
  current_peer: 177.154.83.34

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
        #pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 1

  local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
  Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
  current outbound SPI: C1A13463
  current inbound SPI: 5B6B0EAB

  SAS of the esp on arrival:
  SPI: 0x5B6B0EAB (1533742763)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0xFFFFFFFF to 0xFFFFFFFF
  outgoing esp sas:
  SPI: 0xC1A13463 (3248567395)
  transform: aes-256-esp esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 9179136, crypto-card: outside_map0
  calendar of his: service life remaining key (s): 858
  Size IV: 16 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  ===========================

  Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0

  Phase: 1
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 0.0.0.0 0.0.0.0 outdoors

  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DECLINE
  Config:
  Implicit rule
  Additional information:

  Result:
  input interface: outdoors
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: drop
  Drop-reason: flow (acl-drop) is denied by the configured rule

  ===============================

  FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
  outside_map0 card crypto 4 peers set 177.154.83.34
  internal GroupPolicy_177.154.83.34 group strategy
  attributes of Group Policy GroupPolicy_177.154.83.34
  tunnel-group 177.154.83.34 type ipsec-l2l
  tunnel-group 177.154.83.34 general-attributes
  Group - default policy - GroupPolicy_177.154.83.34
  IPSec-attributes tunnel-group 177.154.83.34

  ==============================

  FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
  network 172.31.2.2_32 object
  Home 172.31.2.2
  access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
  access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
  permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
  NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itinerary

  so you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.

  the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.