Duration Shun threat detection order
I'm trying to set the time of shun for the detection of threats on a PIX 525 v8.0 (3) running. According to the documentation if a host is considered as a striker he will shun the IP for 3600 seconds by default. What I see is that shun is never be removed after they are shunned. I would like to set the time of shun myself and the PIX does not recognize the command:
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/protect.html#wp1065813
####################
Step 2 (optional) to set the time of the shun to attack hosts, enter the following command:
HostName (config) #-a shun threat analysis threat detection seconds duration
##############################
PIX (config) #-a shun threat analysis threat detection?
set up the mode commands/options:
except the keyword to exclude the hosts specified in being shunned
Has anyone seen this? Hutch Ahh, I understand now. Given that you have posted on the Forum ID I was confused and thought he was the block/Shun IDS system. I deal a lot with ASA/Pix Firewall features. But I checked the 8.0 (4) Release Notes and the option 'shun period' is a new feature in 8.0 (4) which explains why he is not in 8.0 (3). Upgrades to 8.0 (4) an option for you? I don't know why it isn't remove avoids it automatically after 3600 seconds in 8.0 (3). I did a quick bug control and could not find one. I hope that someone else on the list might be able to help. If this isn't the case, you might try posting this question on the Forum of NetPro firewall, or even by contacting the TAC. Tags: Cisco Security what I do with these multiple threats detection there are 5 now, I tried to go down with them in my avg but, has not in any way. Could you help me. now my computer sounds rather well, you think it will be fine now. Carolyn, is there anything else I need to do Hello 1. were you able to remove the virus? If you were able to remove the virus from your computer, then you might worry. I also suggest you to download and run the latest Microsoft Scanner on your computer and check to see if it helps: http://www.Microsoft.com/security/scanner/en-us/default.aspx Note: the data files that are infected must be cleaned only by removing the file completely, which means there is a risk of data loss. How to disable detection of threats to improve memory to ASA5505? Hello Run the following command to check what is enabled: SH run all detection of threats Then you can delete it: no basic threat threat detection Kind regards Pedro Lereno Completely disable the Cisco ASA threat detection Hi all On a Cisco ASA5510, Version 8.2 (1) with ADSM v. 6.2 (1) we have this threat detection because we like to allow all traffic through at this time: Wouldn't be fair to assume that this setting blocks any traffic that might normally be considered to be a threat? We assume that the setting 'Enable parsing' verified by himself just analyze traffic but takes no action. Yes you are right. Not all IP block until you have the keyword "flee". Thank you and best regards, Maryse Amrodia LR4.1 install RC2 - activities threat detected by Norton Internet Security I just installed LR4.1 RC2 and NIS detected and quarantined two DLLs: mc_dec_mpa.dll mc_enc_dv.dll What are and is it safe to take these off quarantine? Double click to see full-size: They are false positives due to the heuristic of Norton. They are safe to remove the quarantine. In fact, if you do not have your video will not work properly. Has been mentioned in the notes releae LR: http://blogs.adobe.com/lightroomjournal/2012/03/lightroom-4-0-now-available.html Threat detected in Google Chrome? I already know the pop-up message is a total scam, but I was redirected to "shutmac.info" what force feeds me a warning to call a toll-free number. It won't let me leave the page. I tried closing and reopening the browser, hoping to close the malicious tab in time. Don't go to this site. In any case, unlike Safari I don't see a way to clean my story outside of the Chrome browser. Is there a way around this problem without restarting? I have many, many favorites unsynchronized. Edit: I backed up my iPad and then restored from this backup. I don't know why this has helped, but it allowed me to close the tab before starting the popup appeared. I would like to know if there is an easier way to go about it. Unfortunately with the Google App, you can only erase history within the app itself and if the popup does not, it is not that you can do about it. You can remove the App and reinstall it, easier than a restoration, but at the expense of the start. An alternative, however, is forcing Google close completely from the multitasking window by double clicking the Home button and slide up the Google preview pane until it disappears from the display. You may need to search the component covering scribbles to the left. This will close the application but if pop gave rise to a cookie on your story, it will always be there... Perhaps you could then delete the history. Worth a try next time, perhaps. Norton won't let me update minefields "threat detected" how to solve this problem? I'm not able to update the fields of mines, Norton (from Symantec) will delete the following: updater.exe Each time Firefox opened Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; RV:1.9.3a5pre) Gecko/20100506/Minefield 3.7a5pre Thank you disease, it worked. Detection of threats - Cisco ASA Hi Luke,. 1 - Yes, there is a table of shun. Use the command show - shun threat detection to display a complete list of attackers who were rejected by detecting threats specifically. Use the show shuncommand to display a list of all IP addresses that are actively be shunned by the ASA (including from sources other than the detection of threats). 2 years - Yes the package is first checked Shuns. years.3, 4 and 5 -:-answer is below Shun control allows you to block connections from a host of attacking. All future connections of the source IP address are fallen and recorded until the blocking feature is removed manually or by the Cisco IPS sensor. Blocking of the shun command is applied or not a connection to the specified host address is currently active. If you specify the destination address, source and destination ports and Protocol, then you drop the correspondent connection as well as placing a shun on all future connections to the IP address of source; all future connections are educated, not just those that match these specific connection parameters. You can have an order by source IP address of shun. Because the shun command is used to block attacks in a dynamic way, it is not displayed in the configuration of the SAA. Whenever a configuration of the interface is removed, all fled attached to this interface are also deleted. If you add a new interface or replace the same interface (using the same name), and then you must add this interface to the IPS sensor if you want the IPS sensor to monitor this interface. Dubey, Shivam Emergency response in ASA VPN 5055 Hey guys... AM starting in ASA and cisco configuration, I always use ASDM Launcher to set up or change my Cisco Firewall ASA5055, I tried to enable VPN on my ASA with IPsec VPN Wizard, remote VPN section and I did a configuration for Cisco VPN Client (not windows), until this moment, I still couldn't connect to my VPN, I don't know where is the problem exactly , it delivery? or access list? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When I use the VPN Client to connect to my VPN using the real IP, this message Please if someone can see the problem and tell me how to solve it by ASDM GUI or CLI, but I preferred ASDM... Note: VPN Tunnel must connect on 192.168.3.X internal network IP range Thank you all Here is the step by step on all orders that are required so far: conf t Sysopt connection permit VPN Crypto isakmp nat-traversal 25 inside_nat0_outbound to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.14.0 255.255.255.192 dallas attributes of group policy Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list DALLAS_splitTunnelAcl user name attribute of dallas No strategy of group-vpn-DefaultRAGroup Strategy Group-VPN-dallas not static (inside, outside) interface 192.168.3.229 netmask 255.255.255.255 public static tcp (indoor, outdoor) interface 80 192.168.3.229 80 netmask 255.255.255.255 public static tcp (indoor, outdoor) interface 132 192.168.3.229 132 netmask 255.255.255.255 public static tcp (indoor, outdoor) interface 444 192.168.3.229 444 netmask 255.255.255.255 public static tcp (indoor, outdoor) interface 66 192.168.3.229 66 netmask 255.255.255.255 public static tcp (indoor, outdoor) interface 77 192.168.3.229 77 netmask 255.255.255.255 clear xlate And finally "wr mem" to save the configuration. Regarding spam, ASA cannot block spam unless you have the CSC module installed on the SAA. ASA 5505 - remote access VPN to access various internal networks Hi all A customer has an ASA 5505 with a remote access vpn. They are moving their internal network to a new regime and that you would be the users who come on the vpn to access the existing and new networks. Currently can only access the existing. When users connect to access remote vpn, the asa gave them the address 192.168.199.x. The current internal network is 200.190.1.x and that they would reach their new network of 10.120.110.x. Here is the config: : ASA Version 8.2 (5) ! ciscoasa hostname enable encrypted password xxx XXX encrypted passwd names of ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 IP 200.190.1.15 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP address 255.255.255.0 xxxxxxx ! exec banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED connection of the banner the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED banner asdm the ACCESS NOT AUTHORIZED IS STRICTLY PROHIBITED passive FTP mode access extensive list ip 200.190.1.0 inside_access_in allow 255.255.255.0 any outside_access_in list extended access permit icmp any external interface access extensive list ip 192.168.199.0 outside_access_in allow 255.255.255.192 host 10.120.110.0 Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 200.190.1.0 255.255.255.0 MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0 access extensive list ip 200.190.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192 inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192 pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU mask 192.168.199.10 - 192.168.199.50 255.255.255.0 IP local pool Remote_IPSEC_VPN_Pool IP verify reverse path to the outside interface ICMP unreachable rate-limit 1 burst-size 1 ICMP allow any inside ICMP allow all outside don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 200.190.1.0 255.255.255.0 inside_access_in access to the interface inside group Access-group outside_access_in in interface outside Route outside 0.0.0.0 0.0.0.0 190.213.43.1 1 Route inside 10.120.110.0 255.255.255.0 200.190.1.50 1 Route inside 192.168.50.0 255.255.255.0 200.190.1.56 1 Route inside 192.168.60.0 255.255.255.0 200.190.1.56 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 Floating conn timeout 0:00:00 dynamic-access-policy-registration DfltAccessPolicy http server enable 10443 http server idle-timeout 5 Server of http session-timeout 30 HTTP 200.190.1.0 255.255.255.0 inside No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac life crypto ipsec security association seconds 28800 Crypto ipsec kilobytes of life - safety 4608000 association Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside Crypto ca trustpoint _SmartCallHome_ServerCA Configure CRL Crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 (omitted) quit smoking crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 3600 Telnet timeout 5 SSH 200.190.1.0 255.255.255.0 inside SSH timeout 5 SSH version 2 Console timeout 5 dhcpd outside auto_config ! a basic threat threat detection scanning-threat shun threat detection Statistics-list of access threat detection no statistical threat detection tcp-interception WebVPN allow outside internal MD_SSL_Gp_Pol group strategy attributes of Group Policy MD_SSL_Gp_Pol VPN-tunnel-Protocol webvpn WebVPN list of URLS no disable the port forward hidden actions no disable file entry exploration of the disable files disable the input URL internal MD_IPSEC_Tun_Gp group strategy attributes of Group Policy MD_IPSEC_Tun_Gp value of banner welcome to remote VPN VPN - connections 1 VPN-idle-timeout 5 Protocol-tunnel-VPN IPSec webvpn Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list MD_IPSEC_Tun_Gp_splitTunnelAcl the address value Remote_IPSEC_VPN_Pool pools WebVPN value of the RDP URL-list attributes of username (omitted) VPN-group-policy MD_IPSEC_Tun_Gp type of remote access service type tunnel-group MD_SSL_Profile remote access attributes global-tunnel-group MD_SSL_Profile Group Policy - by default-MD_SSL_Gp_Pol type tunnel-group MD_IPSEC_Tun_Gp remote access attributes global-tunnel-group MD_IPSEC_Tun_Gp address pool Remote_IPSEC_VPN_Pool Group Policy - by default-MD_IPSEC_Tun_Gp IPSec-attributes tunnel-group MD_IPSEC_Tun_Gp pre-shared key *. ! ! context of prompt hostname : end The following ACL and NAT exemption ACL split tunnel is incorrect: MD_IPSEC_Tun_Gp_splitTunnelAcl list standard access allowed host 10.120.110.0 inside_nat0_outbound list extended access allowed host ip 10.120.110.0 192.168.199.0 255.255.255.192 It should have been: Standard access list MD_IPSEC_Tun_Gp_splitTunnelAcl allow 10.120.110.0 255.255.255.0 access extensive list ip 10.120.110.0 inside_nat0_outbound allow 255.255.255.0 192.168.199.0 255.255.255.192 Then 'clear xlate' and reconnect with the VPN Client. Hope that helps. Could not locate the next hop for ICMP outside:10.60.30.111/1 to inside:10.89.30.41/0 routing ASA 5505 Split tunneling stopped working when upgraded to 8.3 (1) 8.4 (3). A user has to connect to the old device of 8.3 (1) that they could access all of our subnets: 10.1.0.0/16, 10.33.0.0/16, 10.89.0.0/16, 10.60.0.0/16 but now, they can't and in the newspapers, I see just 6 October 31, 2012 08:17:59 110003 10.60.30.111 1 10.89.30.41 0 routing cannot locate the next hop for ICMP to outside:10.60.30.111/1 to inside:10.89.30.41/0 any tips? I almost tried everything. the running configuration is: : Saved : ASA Version 8.4 (3) ! host name asa names of ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 IP 10.60.70.1 255.255.0.0 ! interface Vlan2 nameif outside security-level 0 IP 80.90.98.217 255.255.255.248 ! passive FTP mode clock timezone GMT 0 DNS lookup field inside DNS domain-lookup outside permit same-security-traffic intra-interface network obj_any object subnet 0.0.0.0 0.0.0.0 network of the NETWORK_OBJ_10.33.0.0_16 object 10.33.0.0 subnet 255.255.0.0 network of the NETWORK_OBJ_10.60.0.0_16 object 10.60.0.0 subnet 255.255.0.0 network of the NETWORK_OBJ_10.89.0.0_16 object 10.89.0.0 subnet 255.255.0.0 network of the NETWORK_OBJ_10.1.0.0_16 object 10.1.0.0 subnet 255.255.0.0 network tetPC object Home 10.60.10.1 test description network of the NETWORK_OBJ_10.60.30.0_24 object 10.60.30.0 subnet 255.255.255.0 network of the NETWORK_OBJ_10.60.30.64_26 object 255.255.255.192 subnet 10.60.30.64 the SSH server object network Home 10.60.20.6 network of the SSH_public object network ftp_public object Home 80.90.98.218 rdp network object Home 10.60.10.4 ftp_server network object Home 10.60.20.2 network ssh_public object Home 80.90.98.218 Service FTP object tcp destination eq 12 service network of the NETWORK_OBJ_10.60.20.3 object Home 10.60.20.3 network of the NETWORK_OBJ_10.60.40.192_26 object 255.255.255.192 subnet 10.60.40.192 network of the NETWORK_OBJ_10.60.10.10 object Home 10.60.10.10 network of the NETWORK_OBJ_10.60.20.2 object Home 10.60.20.2 network of the NETWORK_OBJ_10.60.20.21 object Home 10.60.20.21 network of the NETWORK_OBJ_10.60.20.4 object Home 10.60.20.4 network of the NETWORK_OBJ_10.60.20.5 object Home 10.60.20.5 network of the NETWORK_OBJ_10.60.20.6 object Home 10.60.20.6 network of the NETWORK_OBJ_10.60.20.7 object Home 10.60.20.7 network of the NETWORK_OBJ_10.60.20.29 object Home 10.60.20.29 service port_tomcat object Beach service tcp 8080 8082 source network of the TBSF object 172.16.252.0 subnet 255.255.255.0 the e-mail server object network Home 10.33.10.2 Mail server description service object HTTPS tcp source eq https service test network object network access_web_mail object Home 10.60.50.251 network downtown_Interface_host object Home 10.60.50.1 Downtown host Interface description service of the Oracle_port object tcp source eq sqlnet service network of the NETWORK_OBJ_10.60.50.248_29 object subnet 10.60.50.248 255.255.255.248 network of the NETWORK_OBJ_10.60.50.1 object Home 10.60.50.1 network of the NETWORK_OBJ_10.60.50.0_28 object subnet 10.60.50.0 255.255.255.240 brisel network object 10.191.191.0 subnet 255.255.255.0 network of the NETWORK_OBJ_10.191.191.0_24 object 10.191.191.0 subnet 255.255.255.0 network of the NETWORK_OBJ_10.60.60.0_24 object 10.60.60.0 subnet 255.255.255.0 object-group service TCS_Service_Group Description this group of Services offered is for the CLD's Clients port_tomcat service-object
HTTPS_ACCESS tcp service object-group EQ object of the https port the DM_INLINE_NETWORK_1 object-group network object-network 10.1.0.0 255.255.0.0 network-object 10.33.0.0 255.255.0.0 network-object 10.60.0.0 255.255.0.0 network-object 10.89.0.0 255.255.0.0 allow outside_1_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.33.0.0 255.255.0.0
allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0 outside_3_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 allow 10.1.0.0 255.255.0.0 OUTSIDE_IN list extended access permit icmp any one time exceed OUTSIDE_IN list extended access allow all unreachable icmp OUTSIDE_IN list extended access permit icmp any any echo response OUTSIDE_IN list extended access permit icmp any any source-quench OUTSIDE_IN list extended access permitted tcp 194.2.20.0 255.255.255.0 host 80.90.98.220 eq smtp OUTSIDE_IN list extended access permit tcp host 194.25.12.0 host 80.90.98.220 eq smtp OUTSIDE_IN list extended access allow icmp 80.90.98.222 host 80.90.98.217 OUTSIDE_IN list extended access permit tcp host 162.162.4.1 host 80.90.98.220 eq smtp OUTSIDE_IN list extended access permit tcp host 98.85.125.2 host 80.90.98.221 eq ssh Standard access list OAKDCAcl allow 10.60.0.0 255.255.0.0 Standard access list OAKDCAcl allow 10.33.0.0 255.255.0.0 access-list OAKDCAcl note backoffice Standard access list OAKDCAcl allow 10.89.0.0 255.255.0.0 access-list OAKDCAcl note maint OAKDCAcl list standard access allowed 10.1.0.0 255.255.0.0 access-list allowed standard osgd host 10.60.20.4 access-list allowed standard osgd host 10.60.20.5 access-list allowed standard osgd host 10.60.20.7 standard access list testOAK_splitTunnelAcl allow 10.60.0.0 255.255.0.0 list access allowed extended snmp udp any eq snmptrap everything list of access allowed extended snmp udp any any eq snmp downtown_splitTunnelAcl list standard access allowed host 10.60.20.29 webMailACL list standard access allowed host 10.33.10.2 access-list standard HBSC allowed host 10.60.30.107 access-list standard HBSC deny 10.33.0.0 255.255.0.0 access-list standard HBSC deny 10.89.0.0 255.255.0.0 allow outside_4_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.191.191.0 255.255.255.0 OAK-remote_splitTunnelAcl-list of allowed access standard 10.1.0.0 255.255.0.0 OAK-remote_splitTunnelAcl-list of allowed access standard 10.33.0.0 255.255.0.0 OAK-remote_splitTunnelAcl-list of allowed access standard 10.60.0.0 255.255.0.0 OAK-remote_splitTunnelAcl-list of allowed access standard 10.89.0.0 255.255.0.0 pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU mask 10.60.30.110 - 10.60.30.150 255.255.0.0 IP local pool OAKPRD_pool IP local pool mail_sddress_pool 10.60.50.251 - 10.60.50.255 mask 255.255.0.0 test 10.60.50.1 mask 255.255.255.255 IP local pool IP local pool ipad 10.60.30.90 - 10.60.30.99 mask 255.255.0.0 mask 10.60.40.200 - 10.60.40.250 255.255.255.0 IP local pool TCS_pool local pool OSGD_POOL 10.60.50.2 - 10.60.50.10 255.255.0.0 IP mask mask 10.60.60.0 - 10.60.60.255 255.255.0.0 IP local pool OAK_pool IP verify reverse path inside interface IP verify reverse path to the outside interface IP audit alarm action name ThreatDetection attack verification of IP within the ThreatDetection interface interface IP outside the ThreatDetection check no failover ICMP unreachable rate-limit 1 burst-size 1 ICMP allow any inside ICMP allow any echo inside ICMP allow any echo outdoors enable ASDM history ARP timeout 14400 NAT (inside, outside) static static source NETWORK_OBJ_10.33.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.33.0.0_16 NAT (inside, outside) static static source NETWORK_OBJ_10.89.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.89.0.0_16
NAT (inside, outside) static static source NETWORK_OBJ_10.1.0.0_16 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.1.0.0_16 NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.0_24 of NETWORK_OBJ_10.60.30.0_24 static destination NAT (inside, outside) static source all all NETWORK_OBJ_10.60.30.64_26 of NETWORK_OBJ_10.60.30.64_26 static destination NAT (inside, outside) static static source NETWORK_OBJ_10.60.40.192_26 destination NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.20.29 NETWORK_OBJ_10.60.40.192_26 any port_tomcat service NAT (inside, outside) static source any destination of all public static NETWORK_OBJ_10.60.50.1 NETWORK_OBJ_10.60.50.1 NAT (inside, outside) static static source NETWORK_OBJ_10.60.50.248_29 destination MailServer MailServer NETWORK_OBJ_10.60.50.248_29 NAT (inside, outside) static source all all NETWORK_OBJ_10.60.50.0_28 of NETWORK_OBJ_10.60.50.0_28 static destination NAT (inside, outside) static static source NETWORK_OBJ_10.191.191.0_24 destination NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.60.0.0_16 NETWORK_OBJ_10.191.191.0_24
NAT (inside, outside) static source DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 NETWORK_OBJ_10.60.60.0_24 NETWORK_OBJ_10.60.60.0_24 non-proxy-arp-search of route static destination ! network obj_any object NAT dynamic interface (indoor, outdoor) Route outside 0.0.0.0 0.0.0.0 80.90.98.222 1 Timeout xlate 03:00 Pat-xlate timeout 0:00:30 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 Floating conn timeout 0:00:00 dynamic-access-policy-registration DfltAccessPolicy identity of the user by default-domain LOCAL Enable http server http 192.168.1.0 255.255.255.0 inside http 10.60.10.10 255.255.255.255 inside http 10.33.30.33 255.255.255.255 inside http 10.60.30.33 255.255.255.255 inside SNMP-server host within the 10.33.30.108 community * version 2 c SNMP-server host within the 10.89.70.30 community *. No snmp server location No snmp Server contact Community SNMP-server Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA ikev1 transport mode encryption ipsec transform-set TRANS_ESP_3DES_SHA ikev1 Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set lux_trans_set ikev1 aes - esp esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 card crypto outside_map 1 match address outside_1_cryptomap peer set card crypto outside_map 1 84.51.31.173 card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1 card crypto outside_map 2 match address outside_2_cryptomap peer set card crypto outside_map 2 98.85.125.2 card crypto outside_map 2 set transform-set ESP-3DES-SHA ikev1 card crypto outside_map 3 match address outside_3_cryptomap peer set card crypto outside_map 3 220.79.236.146 card crypto outside_map 3 set transform-set ESP-3DES-SHA ikev1 card crypto 4 correspondence address outside_4_cryptomap outside_map card crypto outside_map 4 set pfs
peer set card crypto outside_map 4 159.146.232.122 card crypto 4 ikev1 transform-set lux_trans_set set outside_map outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside Crypto ikev1 allow outside IKEv1 crypto policy 5 preshared authentication 3des encryption sha hash Group 2 life 86400 IKEv1 crypto policy 20 preshared authentication aes-256 encryption sha hash Group 5 life 86400 IKEv1 crypto policy 30 preshared authentication 3des encryption sha hash Group 2 lifetime 28800 IKEv1 crypto policy 50 preshared authentication aes encryption sha hash Group 1 life 86400 IKEv1 crypto policy 70 preshared authentication aes encryption sha hash Group 5 life 86400 Telnet 10.60.10.10 255.255.255.255 inside Telnet 10.60.10.1 255.255.255.255 inside Telnet 10.60.10.5 255.255.255.255 inside Telnet 10.60.30.33 255.255.255.255 inside Telnet 10.33.30.33 255.255.255.255 inside Telnet timeout 30 SSH 10.60.10.5 255.255.255.255 inside SSH 10.60.10.10 255.255.255.255 inside SSH 10.60.10.3 255.255.255.255 inside SSH timeout 5 Console timeout 0 dhcpd outside auto_config ! dhcpd dns 155.2.10.20 155.2.10.50 interface inside dhcpd auto_config outside interface inside !
a basic threat threat detection length 3600 scanning-threat shun threat detection threat detection statistics a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200 TFTP server inside 10.60.10.10 configs/config1 WebVPN internal testTG group policy attributes of the strategy of group testTG value of 155.2.10.20 DNS server 155.2.10.50 Ikev1 VPN-tunnel-Protocol internal DefaultRAGroup_1 group strategy attributes of Group Policy DefaultRAGroup_1 value of 155.2.10.20 DNS server 155.2.10.50 Protocol-tunnel-VPN l2tp ipsec internal TcsTG group strategy attributes of Group Policy TcsTG VPN-idle-timeout 20 VPN-session-timeout 120 Ikev1 VPN-tunnel-Protocol IPSec-udp disable IPSec-udp-port 10000 Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list testOAK_splitTunnelAcl the address value TCS_pool pools internal downtown_interfaceTG group policy attributes of the strategy of group downtown_interfaceTG value of 155.2.10.20 DNS server 155.2.10.50 Ikev1 VPN-tunnel-Protocol Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list downtown_splitTunnelAcl internal HBSCTG group policy HBSCTG group policy attributes value of 155.2.10.20 DNS server 155.2.10.50 Ikev1 VPN-tunnel-Protocol Split-tunnel-policy tunnelspecified Split-tunnel-network-list value HBSC internal OSGD group policy OSGD group policy attributes value of 155.2.10.20 DNS server 155.2.10.50 VPN-session-timeout no Ikev1 VPN-tunnel-Protocol group-lock value OSGD Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list testOAK_splitTunnelAcl internal OAKDC group policy OAKDC group policy attributes Ikev1 VPN-tunnel-Protocol value of group-lock OAKDC Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list OAKDCAcl Disable dhcp Intercept 255.255.0.0 the address value OAKPRD_pool pools internal mailTG group policy attributes of the strategy of group mailTG value of 155.2.10.20 DNS server 155.2.10.50 Ikev1 VPN-tunnel-Protocol Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list webMailACL internal OAK-distance group strategy attributes of OAK Group Policy / remote value of 155.2.10.20 DNS server 155.2.10.50 Ikev1 VPN-tunnel-Protocol Split-tunnel-policy tunnelspecified Split-tunnel-network-list value OAK-remote_splitTunnelAcl VPN-group-policy OAKDC type of nas-prompt service
attributes global-tunnel-group DefaultRAGroup address pool OAKPRD_pool ipad address pool Group Policy - by default-DefaultRAGroup_1 IPSec-attributes tunnel-group DefaultRAGroup IKEv1 pre-shared-key *. tunnel-group 84.51.31.173 type ipsec-l2l IPSec-attributes tunnel-group 84.51.31.173 IKEv1 pre-shared-key *. tunnel-group 98.85.125.2 type ipsec-l2l IPSec-attributes tunnel-group 98.85.125.2 IKEv1 pre-shared-key *. tunnel-group 220.79.236.146 type ipsec-l2l IPSec-attributes tunnel-group 220.79.236.146 IKEv1 pre-shared-key *. type tunnel-group OAKDC remote access attributes global-tunnel-group OAKDC address pool OAKPRD_pool Group Policy - by default-OAKDC IPSec-attributes tunnel-group OAKDC IKEv1 pre-shared-key *. type tunnel-group TcsTG remote access attributes global-tunnel-group TcsTG address pool TCS_pool Group Policy - by default-TcsTG IPSec-attributes tunnel-group TcsTG IKEv1 pre-shared-key *. type tunnel-group downtown_interfaceTG remote access tunnel-group downtown_interfaceTG General-attributes test of the address pool Group Policy - by default-downtown_interfaceTG downtown_interfaceTG group of tunnel ipsec-attributes IKEv1 pre-shared-key *. type tunnel-group TunnelGroup1 remote access type tunnel-group mailTG remote access tunnel-group mailTG General-attributes address mail_sddress_pool pool Group Policy - by default-mailTG mailTG group of tunnel ipsec-attributes IKEv1 pre-shared-key *. type tunnel-group testTG remote access tunnel-group testTG General-attributes address mail_sddress_pool pool Group Policy - by default-testTG testTG group of tunnel ipsec-attributes IKEv1 pre-shared-key *. type tunnel-group OSGD remote access tunnel-group OSGD General-attributes address OSGD_POOL pool strategy-group-by default OSGD tunnel-group OSGD ipsec-attributes IKEv1 pre-shared-key *. type tunnel-group HBSCTG remote access attributes global-tunnel-group HBSCTG
address OSGD_POOL pool Group Policy - by default-HBSCTG IPSec-attributes tunnel-group HBSCTG IKEv1 pre-shared-key *. tunnel-group 159.146.232.122 type ipsec-l2l IPSec-attributes tunnel-group 159.146.232.122 IKEv1 pre-shared-key *. tunnel-group OAK type remote access / remote attributes global-tunnel-group OAK / remote address pool OAK_pool Group Policy - by default-OAK-remote control IPSec-attributes tunnel-group OAK / remote IKEv1 pre-shared-key *. ! ! ! Policy-map global_policy ! context of prompt hostname no remote anonymous reporting call HPM topN enable : end enable ASDM history Hi David, I see that you have: allow outside_2_cryptomap to access extended list ip 10.60.0.0 255.255.0.0 10.89.0.0 255.255.0.0 So, please make the following changes: network object obj - 10.60.30.0 10.60.30.0 subnet 255.255.255.0 ! Route outside 10.60.30.0 255.255.255.0 80.90.98.222 Route outside 10.89.0.0 255.255.0.0 80.90.98.222 NAT (outside, outside) 1 source static obj - 10.60.30.0 obj - 10.60.30.0 static destination NETWORK_OBJ_10.89.0.0_16 NETWORK_OBJ_10.89.0.0_16 non-proxy-arp-search to itinerary HTH Portu. Please note all useful posts Post edited by: Javier Portuguez Cannot Ping Throught Site to Site host The two ends are ASA 5510. The IPsec tunnel is running. Show crypto isakmp Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 50.240.120.233 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Show crypto ipsec #pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46 #pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 I can't do a ping on my side (10.1.20.0/24), but only to the "inside" on the SAA interface remote (10.2.20.1). I can't ping other computers on the remote subnet. The remote subnet is not able to ping anything on my side. Here is the config on my side : Saved : ASA Version 8.2(1) ! hostname asa names name 72.xxx.xxx.xxx Telepacific_Gateway name 184.188.50.225 Cox_Gateway name 10.1.20.32 VPN name 10.2.20.0 Jacksonville-Subnet ! interface Ethernet0/0 description Telepacific 4Mb Internet nameif WAN_TelePacific security-level 0 ip address 72.xxx.xxx.xxx 255.255.255.248 ! interface Ethernet0/1 description Cox 10Mb Fiber Internet speed 100 duplex full nameif WAN_Cox security-level 0 ip address 184.xxx.xxx.xxx 255.255.255.248 ! interface Ethernet0/2 nameif VOIP security-level 49 ip address 10.1.10.1 255.255.255.0 ! interface Ethernet0/3 nameif inside security-level 50 ip address 10.1.20.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup WAN_TelePacific dns domain-lookup WAN_Cox dns server-group DefaultDNS name-server 209.242.128.100 name-server 209.242.128.101 name-server 8.8.8.8 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group icmp-type ICMP icmp-object alternate-address icmp-object conversion-error icmp-object echo icmp-object echo-reply icmp-object information-reply icmp-object information-request icmp-object mask-reply icmp-object mask-request icmp-object mobile-redirect icmp-object parameter-problem icmp-object redirect icmp-object router-advertisement icmp-object router-solicitation icmp-object source-quench icmp-object time-exceeded icmp-object timestamp-reply icmp-object timestamp-request icmp-object traceroute icmp-object unreachable object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0 access-list ragroup_splitTunnelAcl standard permit 10.1.20.0 255.255.255.0 access-list WAN_Cox_1_cryptomap extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0 access-list WAN_access_in extended permit icmp any any access-list WAN_Cox_access_in extended permit icmp any any access-list WAN_Cox_access_in extended permit udp VPN 255.255.255.224 10.1.20.0 255.255.255.0 access-list WAN_Cox_access_in extended permit tcp VPN 255.255.255.224 10.1.20.0 255.255.255.0 access-list inside_nat_outbound_1 extended permit ip any any access-list inside_nat_outbound extended permit ip any any access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 Jacksonville-Subnet 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 VPN 255.255.255.224 pager lines 24 logging enable logging asdm informational logging mail critical mtu WAN_TelePacific 1500 mtu WAN_Cox 1500 mtu VOIP 1500 mtu inside 1500 mtu management 1500 ip local pool RA VPN-10.1.20.49 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp deny any WAN_TelePacific asdm history enable arp timeout 14400 global (WAN_TelePacific) 101 interface global (WAN_Cox) 102 interface global (inside) 103 interface nat (WAN_Cox) 103 VPN 255.255.255.224 outside nat (VOIP) 102 0.0.0.0 0.0.0.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 102 access-list inside_nat_outbound nat (inside) 101 access-list inside_nat_outbound_1 nat (management) 102 0.0.0.0 0.0.0.0 access-group WAN_access_in in interface WAN_TelePacific access-group WAN_Cox_access_in in interface WAN_Cox route WAN_Cox 0.0.0.0 0.0.0.0 Cox_Gateway 1 track 3 route WAN_TelePacific 0.0.0.0 0.0.0.0 Telepacific_Gateway 254 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 ldap attribute-map CISCOMAP map-name msNPAllowDialin IETF-Radius-Class map-value msNPAllowDialin FALSE NOACCESS map-value msNPAllowDialin TRUE ALLOWACCESS dynamic-access-policy-record DfltAccessPolicy aaa-server AD_Group_author protocol ldap aaa-server AD_Group_author (inside) host 10.1.20.10 server-port 389 ldap-base-dn DC=,DC=LOCAL ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password * ldap-login-dn CN=VPN,CN=Users,DC=,DC=local server-type microsoft ldap-attribute-map CISCOMAP aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.1.20.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 WAN_TelePacific http 0.0.0.0 0.0.0.0 WAN_Cox no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp inside sla monitor 100 type echo protocol ipIcmpEcho Telepacific_Gateway interface WAN_Cox num-packets 20 sla monitor schedule 100 life forever start-time now sla monitor 101 type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox sla monitor schedule 101 life forever start-time now sla monitor 102 type echo protocol ipIcmpEcho Cox_Gateway interface WAN_Cox sla monitor schedule 102 life forever start-time now crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map WAN_map interface WAN_TelePacific crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map management_map interface management crypto map WAN_Cox_map 1 match address WAN_Cox_1_cryptomap crypto map WAN_Cox_map 1 set pfs crypto map WAN_Cox_map 1 set peer 50.240.120.233 crypto map WAN_Cox_map 1 set transform-set ESP-3DES-SHA crypto map WAN_Cox_map 1 set nat-t-disable crypto map WAN_Cox_map interface WAN_Cox crypto ca trustpoint vpn_ssl_cert fqdn asa subject-name CN=asa no client-types crl configure crypto isakmp enable WAN_Cox crypto isakmp enable inside crypto isakmp enable management crypto isakmp policy 10 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! track 1 rtr 100 reachability ! track 2 rtr 101 reachability ! track 3 rtr 102 reachability no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh 10.1.20.0 255.255.255.0 inside ssh timeout 5 ssh version 2 console timeout 5 management-access inside dhcpd address 10.1.10.51-10.1.10.254 VOIP dhcpd dns 216.70.224.17 8.8.8.8 interface VOIP dhcpd enable VOIP ! dhcpd address 10.1.20.100-10.1.20.254 inside dhcpd dns 216.70.224.17 8.8.8.8 interface inside dhcpd wins 10.1.20.10 1.1.20.11 interface inside dhcpd domain local interface inside ! dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection scanning-threat shun except ip-address 10.1.20.0 255.255.255.0 threat-detection scanning-threat shun except ip-address 10.1.20.10 255.255.255.255 threat-detection scanning-threat shun except ip-address 10.1.20.12 255.255.255.255 threat-detection scanning-threat shun duration 3600 threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 10.1.20.10 source inside prefer webvpn enable WAN_Cox svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 svc enable group-policy NOACCESS internal group-policy NOACCESS attributes vpn-simultaneous-logins 0 vpn-tunnel-protocol IPSec svc webvpn svc ask none default svc group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 10.1.20.10 dns-server value 10.1.20.10 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl default-domain value local group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec address-pools value RA group-policy ragroup internal group-policy ragroup attributes wins-server value 10.1.20.1 dns-server value 10.1.20.1 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value ragroup_splitTunnelAcl default-domain value group-policy ALLOWACCESS internal group-policy ALLOWACCESS attributes banner none wins-server value 10.1.20.10 dns-server value 10.1.20.10 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value ragroup_splitTunnelAcl default-domain value local webvpn svc ask none default svc tunnel-group DefaultRAGroup general-attributes address-pool RA default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 tunnel-group DefaultWEBVPNGroup general-attributes address-pool RA authentication-server-group AD_Group_author LOCAL authorization-server-group AD_Group_author authorization-required username-from-certificate use-entire-name tunnel-group DefaultWEBVPNGroup ppp-attributes authentication ms-chap-v2 tunnel-group ZRemote type remote-access tunnel-group ZRemote general-attributes address-pool RA authentication-server-group AD_Group_author LOCAL tunnel-group TunnelGroup1 type remote-access tunnel-group TunnelGroup1 general-attributes address-pool RA authentication-server-group AD_Group_author LOCAL default-group-policy ALLOWACCESS tunnel-group 50.240.xxx.xxx type ipsec-l2l tunnel-group 50.240.xxx.xxx ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server 10.1.20.14 prompt hostname context Cryptochecksum:053e7f169dcfa526b030f5d647cd78e8 : end This ASA configuration seems correct to me. Please check the configuration of nat exempt on remote Terminal. If possible, download the config of the remote terminal as well. Kind regards NGO % 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510 Hi friends, I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove. Error in CISCO VPN Client software: Secure VPN connection terminated locally by the client. Reason: 414: unable to establish a TCP connection. Error in CISCO ASA 5510 7-ASA-710005%: TCP request and eliminated from
The ASA configuration: XYZ # sh run
XYZ #. Good news Follow these steps: network object obj - 172.30.10.0_24 172.30.10.0 subnet 255.255.255.0 ! the LOCAL_NETWORKS_VPN object-group network object-network 1.1.1.0 255.255.255.0 ! NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search * Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel. Keep me posted. Thank you. Please note all messages that will be useful. When you configure a site to tunnles, I get errors in logging of ASA of gall. I've included the two configs on the walls of ASA file. any one see what Miss me? small site : Saved : Written by usiadmin at 15:22:08.143 UTC Monday, March 19, 2012 ! ASA Version 7.2 (3) ! hostname smallASA domain.com domain name activate awSQhSsotCzGWRMo encrypted password names of ! interface Vlan1 nameif inside security-level 100 IP 10.16.4.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 IP 116.12.211.66 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! L0Wjs4eA25R/befo encrypted passwd passive FTP mode DNS lookup field inside DNS server-group DefaultDNS Server name 10.10.20.1 domain.com domain name access extensive list ip 10.16.4.0 outside_1_cryptomap allow 255.255.255.0 any access extensive list ip 10.16.4.0 inside_nat0_outbound allow 255.255.255.0 any pager lines 24 Enable logging asdm of logging of information Within 1500 MTU Outside 1500 MTU ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm - 523.bin don't allow no asdm history ARP timeout 14400 NAT-control Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 0.0.0.0 0.0.0.0 Route outside 0.0.0.0 0.0.0.0 116.12.211.65 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute Enable http server http 0.0.0.0 0.0.0.0 outdoors http 10.16.4.0 255.255.255.0 inside No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Crypto isakmp nat-traversal 20 Telnet 10.16.4.0 255.255.255.0 inside Telnet timeout 5 SSH 10.16.4.0 255.255.255.0 inside SSH 0.0.0.0 0.0.0.0 outdoors SSH timeout 5 Console timeout 0 dhcpd dns 165.21.83.88 10.10.2.1 dhcpd domain domain.com dhcpd outside auto_config ! dhcpd address 10.16.4.100 - 10.16.4.131 inside dhcpd allow inside ! ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect esmtp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp ! global service-policy global_policy usiadmin encrypted DI5M5NnQfLzGHaw1 privilege 15 password username initech encrypted ENDpqoooBPsmGFZP privilege 15 password username tunnel-group 12.69.103.226 type ipsec-l2l IPSec-attributes tunnel-group 12.69.103.226 pre-shared key, PSK context of prompt hostname Cryptochecksum:e6bf95f3c25574bfed2adafb3283e882 : end large site
: Saved : Written by usiadmin to the 22:57:30.549 CDT Monday, March 19, 2012 ! ASA Version 8.0 (3) ! hostname STO-ASA-5510-FW domain.com domain name enable the password... Ge0JnvJlk/gAiB encrypted names of 192.168.255.0 BGP-Transit_Network description name Transit BGP name 10.10.99.0 VPN name 10.10.2.80 BB DNS-guard ! interface Ethernet0/0 Inside the Interface Description nameif inside security-level 100 IP 10.10.200.29 255.255.255.240
OSPF cost 10 ! interface Ethernet0/1 Description external Interface facing the Rotuer for Internet. nameif outside security-level 0 IP 12.69.103.226 255.255.255.240 OSPF cost 10 ! interface Ethernet0/2 Description physical interface trunk - do not use No nameif no level of security no ip address ! interface Ethernet0/2.900 Description Interface DMZ 12.69.103.0 / 26 (usable hotes.1 a.62) VLAN 900 nameif DMZ1-VLAN900 security-level 50 IP 12.69.103.1 255.255.255.192 OSPF cost 10 ! interface Ethernet0/3 Shutdown No nameif no level of security no ip address ! interface Management0/0 nameif management security-level 100 IP 10.10.5.250 255.255.254.0 OSPF cost 10 management only ! L0Wjs4eA25R/befo encrypted passwd banner exec ********************************************************************** exec banner STO-ASA-5510-FW exec banner ASA5510 - 10.10.200.29 exec banner configured for data use only banner exec ********************************************************************** banner login ********************************************************************** connection of the banner caveat: this system is for the use of only authorized customers. banner of individuals to connect using the system of computer network without permission. banner login or exceeding their authority, are subject with all their activity of connection banner on this system monitored and recorded by computer network staff of the login banner system. To protect the computer network system of banner of the connection of unauthorized use and to ensure that computer network systems is connection of banner works properly, system administrators monitor this system. banner connect anyone using this computer network system expressly consents to such a banner of the connection monitoring and is advised that if such monitoring reveals possible conduct of connection banner of criminal activity, system personnel may provide the evidence of connection banner of such activity to the police. connection banner that access is restricted to the authorized users only. Unauthorized access is connection banner, a violation of State and federal, civil and criminal. banner login ********************************************************************** passive FTP mode clock timezone CST - 6 clock to summer time recurring CDT DNS server-group DefaultDNS domain universalsilencer.com permit same-security-traffic intra-interface object-group service SAP tcp - udp Description SAP updates port-object eq 3299 object-group Protocol TCPUDP object-protocol udp object-tcp protocol object-group service HUMANLand tcp port-object eq citrix-ica DM_INLINE_TCP_1 tcp service object-group EQ port 5061 object port-object eq www EQ object of the https port DM_INLINE_TCP_2 tcp service object-group EQ port 5061 object port-object eq www EQ object of the https port DM_INLINE_UDP_1 udp service object-group EQ port-object snmp port-object eq snmptrap object-group service DM_INLINE_SERVICE_1 ICMP service object the purpose of the service tcp - udp eq www the purpose of the udp eq snmp service the purpose of the udp eq snmptrap service the eq syslog udp service object the eq 2055 tcp service object the eq 2055 udp service object EQ-3389 tcp service object object-group service human tcp - udp port-object eq 8100 object-group service grove tcp
port-object eq 2492 netflowTcp tcp service object-group port-object eq 2055 object-group service 6144 tcp - udp 6144 description port-object eq 6144 object-group service 1536-DMPA-inter-tcp - udp 1536-DMPA-inter description port-object eq 1536 the DM_INLINE_NETWORK_1 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_2 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_3 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0 network-object 69.31.0.0 255.255.0.0 the DM_INLINE_NETWORK_4 object-group network network-object 198.78.0.0 255.255.0.0 network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0 object-group service rdp tcp RDP description EQ port 3389 object the DM_INLINE_NETWORK_5 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_6 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_7 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 the DM_INLINE_NETWORK_8 object-group network network-object 10.16.0.0 255.255.0.0 object-network 10.16.0.0 255.255.255.0 access outside the 207.152.125.136 note list extended access list to refuse any newspaper outdoors the object-group objects DM_INLINE_NETWORK_1 TCPUDP-group scope of list of outdoor access to refuse the object-group objects DM_INLINE_NETWORK_2 host 12.69.103.129 TCPUDP-group extended access list to refuse the object-group TCPUDP outdoors any object-group DM_INLINE_NETWORK_3 scope of list of outdoor access to refuse the subject-TCPUDP 12.69.103.129 host object group DM_INLINE_NETWORK_4 access outside the note list * in Bound SAP traffic by Ron Odom update *. list of access outside the scope permitted tcp host 194.39.131.34 host 12.69.103.155 3200 3300 Journal range access outside the note list * router SAP *. list of access outside the permitted range tcp host 10.10.2.110 host 194.39.131.34 3200 3300 extended access list permits object-group DM_INLINE_SERVICE_1 outside any host 12.69.103.154 access outside the note list * entrants to the mail server to 10.10.2.10 Peter K *. list of extended outside access permit tcp any host 12.69.103.147 eq smtp access outside the note list * incoming to the OCS EDGE on DMZ Peter K *. access list outside extended permit tcp any host 12.69.103.2 object - group DM_INLINE_TCP_1 list of external extended ip access permits any host 12.69.103.6 list of access outside the comment flagged for malware activity scope of list of outdoor access to deny the host ip 77.78.247.86 all list of external extended ip access permits any host 12.69.103.156 inactive list of extended outside access permit tcp any host 12.69.103.147 eq www list of extended outside access permit tcp any host 12.69.103.147 eq https access outside the note list * incoming hosting 10.10.3.200 - Dan K *. list of extended outside access permit tcp any host 12.69.103.145 eq www list of extended outside access permit tcp any host 12.69.103.145 eq https access outside the note list * journey to host 10.10.2.30 USIFAXBACK - Dan K *. list of extended outside access permit tcp any host 12.69.103.146 eq www list of extended outside access permit tcp any host 12.69.103.146 eq https access outside the note list * incoming hosting 10.10.8.5 - Mitel 7100 BOB M 4/4-2008 - BV *. list of extended outside access permit tcp any host 12.69.103.152 eq pptp access list outside extended permit tcp any host 200.56.251.118 object - group HUMANLand
list of extended outside access permit tcp any host 200.56.251.121 eq 8100 outdoor access list note allow all return ICMP traffic off in order to help the attacks of hidden form extended the list of outdoor access to deny icmp everything no matter what newspaper list of allowed outside access extended ip 10.14.0.0 255.255.0.0 all open a debug session list of allowed outside access extended ip 10.15.0.0 255.255.0.0 any list of allowed outside access extended ip object-group DM_INLINE_NETWORK_7 all outdoor access list extended permits all ip 10.14.0.0 255.255.0.0 debug log outdoor access list extended permits all ip 10.15.0.0 255.255.0.0 list of external extended ip access permits any object-group DM_INLINE_NETWORK_6 list of access outside the scope permitted udp host 12.88.249.62 any DM_INLINE_UDP_1 object-group Note added to pervent bocking human outside access list list of access outside the permitted scope object-TCPUDP host 10.12.2.250 host 200.56.251.121 human group object Note added to pervent bocking human outside access list list of access outside the permitted scope object-TCPUDP host 200.56.251.121 host 10.12.2.250 human group object outside the permitted scope of access tcp list any any eq log pptp extended access list to refuse the object-group TCPUDP outdoors everything any object-group 6144 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 VPN 255.255.255.192 extensive list of access VPN-SplitTunnel ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192 allow extended VPN-SplitTunnel access list ip 10.12.0.0 allow 255.255.0.0 VPN 255.255.255.192 extended VPN-SplitTunnel access list ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192
list of access VPN-SplitTunnel extended permitted ip VPN BGP-Transit_Network 255.255.255.0 255.255.255.192 list of access VPN-SplitTunnel extended permitted ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.4.0 255.255.254.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.15.4.0 255.255.254.0 VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.8.0 255.255.254.0 Note DMZ1_in access-list * OCS - 2nd interface to inside EDGE welcomes Peter K *. DMZ1_in list extended access permit tcp host 12.69.103.3 host 10.10.2.15 DM_INLINE_TCP_2 object-group Note DMZ1_in of access list permit all ICMP traffic DMZ1_in access list extended icmp permitted any any newspaper DMZ1_in deny ip extended access list all 207.152.0.0 255.255.0.0 DMZ1_in list extended access deny ip 207.152.0.0 255.255.0.0 any Note DMZ1_in access-list * explicitly block access to all domestic networks *. Note access-list DMZ1_in * no need allowed inside networks *. Note DMZ1_in access-list * to do above this section *. DMZ1_in list extended access deny ip any 10.0.0.0 255.0.0.0 DMZ1_in list extended access deny ip any 172.16.0.0 255.240.0.0 DMZ1_in list extended access deny ip any 192.168.0.0 255.255.0.0 Note DMZ1_in access-list * IP Allow - this will be the internet *. DMZ1_in list of allowed ip extended access all any debug log ezvpn1 list standard access allowed 10.0.0.0 255.0.0.0 access-list DMZ1-VLAN900_cryptomap extended ip allowed any one access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 VPN 255.255.255.192 IP 10.11.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192 IP 10.12.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192 access-list extended sheep ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192 access-list sheep extended ip VPN BGP-Transit_Network 255.255.255.0 allow 255.255.255.192 access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.4.0 255.255.254.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.8.0 255.255.254.0 access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0 access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.15.4.0 255.255.254.0
access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0 permit traffic to access extended list ip 10.0.0.0 255.0.0.0 10.14.0.0 inactive 255.255.0.0 outside_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 10.15.0.0 255.255.0.0 access extensive list ip 10.14.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192 access extensive list ip 10.15.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192 outside_nat0_outbound list extended access allowed object-group ip VPN DM_INLINE_NETWORK_8 255.255.255.192 outside_cryptomap_1 to access ip 10.0.0.0 scope list allow 255.0.0.0 DM_INLINE_NETWORK_5 object-group pager lines 24 Enable logging timestamp of the record logging list VPN informational level class auth logging list class VPN config level criticism VPN vpn list logging level notification class notification of log list VPN vpnc level class VPN list logging level notifications class webvpn logging alerts list any level exploitation forest-size of the buffer of 256000 logging buffered all logging VPN trap asdm of logging of information host of inside the 10.10.2.41 logging format emblem logging ftp-bufferwrap connection server ftp 10.10.2.41 \logs usi\administrator 178US1SIL3 ~. Within 1500 MTU Outside 1500 MTU MTU 1500 DMZ1-VLAN900 management of MTU 1500 mask 10.10.99.1 - 10.10.99.63 255.255.255.192 IP local pool Clients_vpn no failover ICMP unreachable rate-limit 1 burst-size 1 ICMP allow any inside ICMP allow all outside ICMP allow any DMZ1-VLAN900 ASDM image disk0: / asdm - 611.bin ASDM location VPN 255.255.255.192 inside ASDM location BGP-Transit_Network 255.255.255.0 inside ASDM location 10.10.4.60 255.255.254.255 inside ASDM location 255.255.255.255 inside BB ASDM location 10.16.0.0 255.255.0.0 inside ASDM location 69.31.0.0 255.255.0.0 inside ASDM location 198.78.0.0 255.255.0.0 inside ASDM location 10.16.0.0 255.255.255.0 inside enable ASDM history ARP timeout 14400 Global (inside) 1 10.10.2.4 netmask 255.0.0.0 Global (outside) 10 12.69.103.129 netmask 255.255.255.255
Global (outside) 11 12.69.103.130 netmask 255.255.255.255 Global (outside) 12 12.69.103.131 netmask 255.255.255.255 Global (outside) 13 12.69.103.132 netmask 255.255.255.255 Global (outside) 14 12.69.103.133 netmask 255.0.0.0 NAT (inside) 0 access-list sheep NAT (inside) 11 192.168.255.4 255.255.255.252 NAT (inside) 12 192.168.255.8 255.255.255.252 NAT (inside) 13 192.168.255.12 255.255.255.252 NAT (inside) 10 10.10.0.0 255.255.0.0 NAT (inside) 11 10.11.0.0 255.255.0.0 NAT (inside) 12 10.12.0.0 255.255.0.0 NAT (inside) 13 10.13.0.0 255.255.0.0 NAT (inside) 10 10.14.0.0 255.255.0.0 NAT (outside) 0-list of access outside_nat0_outbound NAT (outside) 10 10.16.0.0 255.255.255.0 NAT (outside) 10 10.14.0.0 255.255.0.0 NAT (outside) 10 10.15.0.0 255.255.0.0 NAT (outside) 10 10.16.0.0 255.255.0.0 static (DMZ1-VLAN900, external) 12.69.103.0 12.69.103.0 subnet mask 255.255.255.192 public static 12.69.103.154 (Interior, exterior) 10.10.2.41 netmask 255.255.255.255 static (inside, DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 static (inside, DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 static (inside, DMZ1-VLAN900) 172.16.0.0 subnet 255.240.0.0 172.16.0.0 mask public static 12.69.103.147 (Interior, exterior) 10.10.2.10 netmask 255.255.255.255 public static 12.69.103.152 (Interior, exterior) 10.10.8.5 netmask 255.255.255.255 public static 12.69.103.155 (Interior, exterior) 10.10.2.110 netmask 255.255.255.255 outside access-group in external interface Access-group DMZ1_in in interface DMZ1-VLAN900 ! Router eigrp 100 Network 10.0.0.0 255.0.0.0 ! Route outside 0.0.0.0 0.0.0.0 12.69.103.225 1 Route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
Route inside 10.10.98.0 255.255.255.0 10.10.200.30 1 Route outside 10.14.0.0 255.255.0.0 12.69.103.225 1 Route outside 10.15.0.0 255.255.0.0 12.69.103.225 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute dynamic-access-policy-registration DfltAccessPolicy AAA-server Microsoft radius Protocol simultaneous accounting mode reactivation mode impoverishment deadtime 30 AAA-server Microsoft host 10.10.2.1 key cisco123 the ssh LOCAL console AAA authentication AAA authentication LOCAL telnet console AAA authentication enable LOCAL console AAA authentication http LOCAL console Enable http server http 10.10.0.0 255.255.0.0 management http 10.10.0.0 255.255.0.0 inside SNMP-server host within the 10.10.2.41 community UNISNMP version 2 c-port udp 161 location of Server SNMP STODATDROOM contact SNMP SYS Admin Server UNISNMP SNMP-server community Server enable SNMP traps snmp authentication linkup, linkdown cold start Server enable SNMP traps syslog Server SNMP traps enable ipsec works stop Server enable SNMP traps entity config - change insert-fru fru - remove Server SNMP enable doors remote access has exceeded the threshold of session Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 card crypto outside_map 1 match address outside_cryptomap peer set card crypto outside_map 1 115.111.107.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA card crypto outside_map 2 match address outside_cryptomap_1 peer set card crypto outside_map 2 116.12.211.66 card crypto outside_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 address card crypto outside_map 10 game traffic peer set card crypto outside_map 10 212.185.51.242
outside_map crypto 10 card value transform-set ESP-3DES-SHA outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP inside crypto map inside_map interface card crypto DMZ1-VLAN900_map0 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 crypto isakmp identity address crypto ISAKMP allow inside crypto ISAKMP allow outside crypto ISAKMP policy 5 preshared authentication 3des encryption sha hash Group 2 life no crypto ISAKMP policy 10 preshared authentication the Encryption sha hash Group 2 life no Crypto isakmp nat-traversal 33 No vpn-addr-assign aaa No dhcp vpn-addr-assign VPN-addr-assign local reuse-delay 10 Telnet 10.10.0.0 255.255.0.0 inside Telnet 10.10.0.0 255.255.0.0 management Telnet timeout 29 SSH timeout 29 SSH version 2 Console timeout 1 management-access inside dhcprelay Server 10.10.2.1 outside a basic threat threat detection threat scan-threat shun except ip 10.14.0.0 address detection 255.255.0.0
threat scan-threat shun except ip 10.15.0.0 address detection 255.255.0.0 threat detection statistics Web cache WCCP WCCP interface within web in cache redirection NTP 192.5.41.41 Server NTP 192.5.41.40 Server Server NTP 192.43.244.18 TFTP server inside 10.10.2.2 \asa attributes of Group Policy DfltGrpPolicy banner of value WARNING: this system is for the use of only authorized customers. value of server WINS 10.10.2.1 value of 10.10.2.1 DNS server 10.10.2.2 Protocol-tunnel-VPN IPSec svc webvpn Split-tunnel-policy tunnelspecified Split-tunnel-network-list value VPN-SplitTunnel universalsilencer.com value by default-field Server proxy Internet Explorer 00.00.00.00 value the address value Clients_vpn pools internal CHINAPH group policy CHINAPH group policy attributes Protocol-tunnel-VPN IPSec svc webvpn Split-tunnel-policy tunnelall enable dhcp Intercept 255.255.0.0 the address value Clients_vpn pools internal ezGROUP1 group policy attributes of the strategy of group ezGROUP1 VPN-tunnel-Protocol svc webvpn allow password-storage Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list ezvpn1 allow to NEM deleted users IPSec-attributes tunnel-group DefaultL2LGroup pre-shared-key germanysilence type tunnel-group USISplitTunnelRemoteAccess remote access attributes global-tunnel-group USISplitTunnelRemoteAccess address pool Clients_vpn IPSec-attributes tunnel-group USISplitTunnelRemoteAccess pre-shared-key z2LNoioYVCTyJlX type tunnel-group USISplitTunnelRADIUS remote access attributes global-tunnel-group USISplitTunnelRADIUS address pool Clients_vpn Group-Microsoft LOCAL authentication server IPSec-attributes tunnel-group USISplitTunnelRADIUS pre-shared-key fLFO2p5KSS8Ic2y type tunnel-group ezVPN1 remote access tunnel-group ezVPN1 General-attributes Group Policy - by default-ezGROUP1 ezVPN1 group of tunnel ipsec-attributes pre-shared key, PSK tunnel-group 212.185.51.242 type ipsec-l2l IPSec-attributes tunnel-group 212.185.51.242 pre-shared key, PSK NOCHECK Peer-id-validate tunnel-group 115.111.107.226 type ipsec-l2l IPSec-attributes tunnel-group 115.111.107.226 pre-shared key PSJ tunnel-Group China type remote access attributes global-tunnel-Group China address pool Clients_vpn Group Policy - by default-CHINAPH tunnel-group 116.12.211.66 type ipsec-l2l IPSec-attributes tunnel-group 116.12.211.66 pre-shared key, PSK ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns migrated_dns_map_1 parameters message-length maximum 512 Policy-map global_policy class inspection_default inspect the migrated_dns_map_1 dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp inspect the icmp ! global service-policy global_policy context of prompt hostname Cryptochecksum:834976612f8f76e1b088326516362975 : end Hello Ronald.
You use PFS on a site and not on the other. Allows to remove from the site that has it and give it a try. Change this: card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside To do this: card crypto outside_map 1 match address outside_1_cryptomap peer set card crypto outside_map 1 12.69.103.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside So just do a NO card crypto outside_map 1 set pfs Kind regards Julio Note all useful posts Hello! I have problems with what seems to be adware/malware on my Macbook Pro Retina Display. Thus, from a few days ago, Avast (my current antivirus software) has been giving me advice below: With various different sites in the part of the URL. According to a suggestion in another post on the forum, my fiancée and I installed MacScan on my laptop and ran a full scan of the system. He accused that I have two pieces of adware on my computer. To try to get rid of adware, I installed Malwarebytes. As expected, he said that I had two infections (both same referenced in my MacScan) and gave me the option to clean my computer. I did, and, during the execution of a second analysis, Malewarebytes claimed that I had more infections. My question is that, in order to verify a second time, I ran another MacScan and he said that the two pieces of adware still exist. However, their codes now changed to say: /. Trash/Malewarebytes removals. Here's the complete code for reference: Path: /. MobileBackups/computer/2016-04-02-153847/Volume/users/mariyaartis /. Trash/Malwa Removals/Sponsors.framework/Versions/A/Resources/APNSetup.app/Contents/Resources/ [email protected]as rebytes Path: /. MobileBackups/computer/2016-04-02-153847/Volume/users/mariyaartis /. Trash/Malwa rebytes Removals/Sponsors.framework/Versions/A/Resources/APNSetup.app/Contents/Resource s/searchAskApp_ORJ - M.safariextz According to a few minutes ago, I always get the opinion of Avast threat detection. How to remove malware from my computer? What should I do at this point? Any help is greatly appreciated. Malwarebytes is perhaps the only adware scanner you need I'd MacScan and Avast- Linc Davis calls it the "worst of the miserable anti antivirus market for mac software. Motion 5 crashing when adding text - Mac OS Sierra I just upgraded to Mac OS Sierra and started a new project to Motion 5. Everything seems to work fine except when I try and add text. I start typing Motion 5 breaks down. There an idea on how to solve this problem, assuming that I won't go back to External display via mini display port resolution Hello I have an iMac 27 "late 2009 with a graphic of ATI Radeon HD 4670 256 MB and the latest Mac OS. I just bought a Samsung U28E850R to use as a second screen UHD and connected via the port mini screen iMac to display the port of the Samsung. The p Like the new look and the interface seems friendly. A complaint: user account. What is back? Really? I wrote BACK programs when most of you have a spark in your eyes of fathers. Difficulty the ranks of the user so that they don't insult your communit Photosmart B109n: Photosmart b109n install fails on XP PC Hello I try to install the above using both the full software suite or driver files only. The installation fails in the same place every time. After that the review and accept the step, the software starts the installation, through verification of What should do? SansaClip vs Rhapsody... I'm so frustrated. If I had known that my wonderful little mp3 player was going to be connected with a (in my opinion irritable) org $$ just like Rhapsody and all (almost), possible on music and PAY - FOR services, I would have kept looking for anothSimilar Questions
no threat detection rates
no threat scanning-threat detection
No statistics of threat detection
This has happened
Each update
User Agent
Afternoon,
I'm trying to understand how the threat detection feature prevents attackers. From my understanding, taking into account the line configuration below, if a host had to send 45 SYN in 1 second, then it would be recorded as a threat and thus avoided the host - thus negating any other communication, whether it is legitimate or not.
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
Take this example to the review, I have a few questions.
It's shun entry stored in some sort of table of shun?
This entry of shun there a time-out or duration of life, where, after a certain period of time the shun is revoked?
Are disabled with a reload Shun or they persist until that of the means of manual compensation?
Without taking into account all of the above - leaking just for the unique SYN that strikes the burst rate, or they apply to any other communication attempted to this port and address from the source?
Thanks in advance for your help.
Kind regards
Luke
Please rate helpful posts and mark correct answers.
Here is running Setup:: Saved
:
ASA Version 8.0(3)6
!
hostname ciscoasa
enable password ******* encrypted
passwd ********* encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DALLAS_splitTunnelAcl standard permit host 192.168.3.229
access-list DALLAS_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list DALLAS_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list dallas_VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.252
access-list Out extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.252 192.168.14.0 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Dallas 192.168.14.1-192.168.14.50 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.3.229 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 192.168.3.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 1:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
vpnclient server xx.xx.xx.xx
vpnclient mode client-mode
vpnclient vpngroup dallas password ********
vpnclient username dallas password ********
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy dallas internal
group-policy dallas attributes
dns-server value xx.xx.xx.xx
vpn-tunnel-protocol IPSec
username admin password *************** encrypted privilege 15
username dallas password ********* nt-encrypted privilege 0
username dallas attributes
vpn-group-policy DefaultRAGroup
username user1 password *********** nt-encrypted privilege 0
username cisco password ********* encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group dallas type remote-access
tunnel-group dallas general-attributes
address-pool Dallas
default-group-policy dallas
tunnel-group dallas ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:beac138dba28b1b3b58dffbcbc4fbb93
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
which is accessible by ASA you see the redirect to 192.168.3.229
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: end
Maybe you are looking for
