IKEv2 VPN without using licensed SSL? (ASA-5512)
Hi all
I enabled Cisco 'Anyconnect Premium peers' for customer less connections vpn ssl, the obvious snag is that for Anyconnect ikev2 sessions he wants to use the SSL license pool instead of the IPSEC pool (which I have a lot of connection for 'peers VPN Total: 250' licenses.
* Is it possible to configure Anyconnect to connect through IPSEC and use licensed IPSEC (while keeping Premium Anyconnect active peers)?
* Should I consider 3rd third-party vpn outside Anyconnect clients?
CyA
Craig
Remote access to sessions with IKEv2 will always consume a Premium license. Change for another customer will not help unless you change to a customer that uses the legacy technology with EasyVPN. But this should not be the solution.
If you enable AnyConnect Essentials, you can use AnyConnect with IPSec the platform limit, but you cannot use the features award (as a clientless) more at the same time.
In a situation like that where many AnyConnect-Sessions are necessary and only a couple of sessions without client, I installed AnyConnectEssentials on the ASA principal and deployed an another ASA only for VPN without client. Due to the high cost of premium VPN licenses, is much cheaper then buying the Premium licenses for all VPN users.
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
How to establish a tunnel vpn ipsec using DNS with ASA 5505?
Hello
I m get a dynamic IP address public and what I m trying to do is establish a tunnnel remote vpn using IPSec, which I realize my provider but each time resets of sessions or ASA 5505 reset, I get a new public IP and I need to put the new IP address on the remote client, so I can establish the vpn...
How can I establish a vpn ipsec using DNS? For this scenario, the remote client vpn is a vpn phone, but it could be any vpn client.
Private private Public IP IP IP
PBX - Telephone (LAN) - ASA 5505-(Internet)-(router) Remote Site-(LAN) VPN-
Kind regards!
Ah ok I see, Yes in this case there is no that you can do other than request a static IP address from your ISP.
Kind regards.
PS: Don't forget to mark this question as answered. Thank you!
-
Installation of site to site VPN IPSec using PIX and ASA
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
I am a site configuration to site IPSec VPN using a PIX515E to site A and ASA5520 to Site B.
I have attached the lab diagram. Consider PIX and ASA are in default configuration, which means that nothing is configured on both devices.
According to the scheme
ASA5520
External interface is the level of security 11.11.10.1/248 0
The inside interface is 172.16.9.2/24 security level 100
Default route is 0.0.0.0 0.0.0.0 11.11.10.2 1
PIX515E
External interface is the level of security 123.123.10.2/248 0
The inside interface is 172.16.10.1/24 security level 100
Default route is 0.0.0.0 0.0.0.0 123.123.10.1 1
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Could someone tell me how to set up this configuration? I tried but didn't workout. Here is the IKE protocol I have used.
IKE information:
IKE Encrytion OF
MD5 authentication method
Diffie Helman Group 2
Failure to life
IPSEC information:
IPsec encryption OF
MD5 authentication method
Failure to life
Please enter the following command
on asa
Sysopt connection permit VPN
on pix not sure of the syntax, I think it is
Permitted connection ipsec sysopt
What we are trying to do here is basically allowing vpn opening ports
Alternatively you can open udp 500 and esp (or port ip 50) out to in on the two firewalls
-
How to set up a Lan to Lan VPN without using your external IP address?
I have two 28 subnets A & B.
My PIX and ASA outside interface addresses are both in A subnet.
I am in the middle of a migration of the PIX to ASA and need to use the PIX outside of the address of the interface on the ASA for the last two remaining lan to lan VPN.
I do like that because the sellers of these virtual private networks to connect to are huge dinosaurs IT and the aaages to get their sh * t tri... This means that I have to pass the IP address to my ASA, so I can't sentence have change for a new IP peer.
I tried to figure out how to set a specific my counterpart VPN IP address but I can't figure out how...
I even physically connected a second ethernet port and tried to give a similar IP in the same range, which it says it is not possible to have both outside the IP addresses on the same subnet.
Hello
It is not possible to have an IP address "secondary" on the physics/logic interface of a Cisco firewall.
And as you've noticed, you cannot configure the same subnet on 2 different interface either.
We are talking about such a large configuration that you want to just migrate from completely to the ASA PIX and make a switch during a maintenance window?
Couldn't you just pass the ASAs 'outside' IP address address to that on the PIX and move the ASAs 'outside' of the PIX? Or not the ASAs "outside" IP address already some configured related to what makes this impossible?
-Jouni
-
ASA 5520: SSL VPN by using a different IP address that the ASA public IP address
Hi guys,.
I'm trying to configure an SSL VPN on a Cisco ASA5520.
Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.
I don't not want to use a different port so to keep life easy for users.
I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?
Thank you
Dario
Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.
The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.
-
SSL VPN without disabled in ASA5505 after the Activation of the AnyConnect client
Hello everyone,
I am facing a problem with the VPN service in ASA 5505. Initially, I was using SSL VPN without customer who was working absolutely fine, no problem. Recently I bought AnyConnect Essentials License with license AnyConnect VPN, Mobile (for focusing on the Client SSL VPN Service for desktop and mobile respectively) and have activated these keys inside of the firewall. After that I may be able to connect to based on the VPN Client, using the AnyConnect client. Clientless VPN access is not allowing you to connect and displays an error (see the attached screenshot).
I created two VPN profiles Viz, basic (for clientless VPN) and rvsvpn (for client based VPN). Download the AnyConnect Client I can connect to the rvsvpn profile. But if I try to connect using the basic profile, it throws an error has been to what is displayed in the exhibition.
Please help me in this regard, as what can be done to use both the vpn connection profile. Or what the use of AnyConnect disables client access?
Waiting for your help.
Thanks in advance.
Samrat.
"Anyconnect essentials" in your configuration command to disable all profiles without customer (as well as other features that require the Premium license).
Essentials and Premium are mutually exclusive as the performance of duties. You can have both installed licenses, but only use one or the other (and never both at once) in your running configuration.
-
access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.
We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.
Hello
Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.
You can follow this link to set up an acl of web:
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...
Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you, please note!
-
ASA 5512 different route by VPN Group (VRF as feature?)
Hello
Here's what I'm trying to do. I have a Nexus 7000 with several of the VRF, simplicity lets call it A VRF, VRF B, VRF C. VRF A simulates a network of management and VRF B and C are customer environments. VRF B and C VRF will be overlap of intellectual property. I have a 5512 ASA I use VPN in the environment, it also provides internet access for applications that run in A VRF, (VRF B and C do not require internet access). What I want to do is to implement three different access VPN on the SAA even, where some users will have VPN 1 group policy and have access to the VRF has, but should not have access to the VRF B or C, same VPN 2 should have access to the VRF B and 3 C VRF VPN.
My original intent was to configure the ASA with 0/0 to internet Gig, Gig 0/1 A VRF and then Gig 0/2 sub interfaced so 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.10.1 in 102 VLAN that connects to VRF C. However, better than I can tell ASA 5512 is not aware of VRF (or is it just a separate license, I would need?) and as such, it is not possible.
Next similar reflection, but instad configure as 0/2.10 is 10.10.10.1 in VLAN 101 that connects VRF B, 0/2.11 concert would be 10.10.11.1 in 102 VLAN that connects to VRF C. However, I throw it here, issues as the VPN 2 and 3 need access to devices with the same IP address, which is even better I can tell, the ASA is not able to make Policy based routing.
Is there another way to do this? Is there something that I am on?
I need to make sure that the 2A VPN users can access services available in the VRF B, they should not have the ability to access (intentionally or not) services on VRF A or C, nor the users VPN 1 or 3.I have also a 5585 ASA w / context multi license, I can then creates a context by VRF (that I have), I then interfaces in each correct the VRF-related context. However, I do not think that I can terminate VPN here, best I can tell when in multi-contexte mode you can not have VPN license.
Your research led you to conclude correctly that the ASA is neither compatible with VRF nor can it be based on routing strategies. Also, you cannot terminate remote access VPN on an ASA multi-contexte.
Doing what you ask a single AAS is a bit problematic. If you had a unique internal addresses, the subinterfaces would work fine.
Because it looks like you have a virtualization infrastructure, have you considered using the low cost ASAv? You could run multiple instances, one per VRF. Everyone knows only the public address space and its respective assocated VRF.
-
Filtering on ASA - CX without content license
Hello
Please can someone advise if it is possible to configure the URL/content filtering on a box of ASA - CX with an expired license?
I connected the PRSM onbox, I can't create objects and policies needed to enable filtering.
Also, I redirect to installation to the CX (for testing purposes), however in the current state (without a license) browsing all watch a 'redirect' screen and nothing happens the message stay here and does not have traffic redirected to the ASA. It is also due to licensing (there is currently no policy in place)
We are in the process of buying licenses STROKE and WSE, so I just want to check what the expected behaviours should be.
Thank you very much
CX is end of sales and new licenses are not sold by Cisco as of August 17, 2015. Reference.
A CX unlicensed generally cannot apply, create, or modify policies through its premises PRSM (or he can take an out of area PRSM) if the license for the feature is not present and active (IE out of date). It is further explained in the section User Guide on licensing.
You must use the power of fire and associated licenses for new deployments.
-
All necessary licenses on ASA 5510 for old Cisco VPN Client
We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?
Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).
You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.
-
I have to use PFS on ASA VPN?
Hello
I've been setting up some VPN clients on my Cisco ASA, some use the PFS option and others do not.
What is the point?
In the first package of quick mode, the initiator sends the identity information, proposal of the Association of security IPSec, Nonce payload and payload the key exchange (KE) optional in the case of Perfect Forward secret (PFS) is used
Perfect forward secret (PFS) is a cryptographic technique where newly created keys are unrelated to a key generated previously. With PFS enabled, Cisco ASA security generates a new set of keys that is used when negotiating IPSec Phase 2. Without PFS, the Cisco ASA uses keys of Phase 1 during the negotiations of Phase 2. The Cisco ASA uses Diffie-Hellman Group 1, 2, 5 and 7 for PFS to generate the keys. Diffie-Hellman Group 1 uses the size of 768-bit module to generate the keys, while group 2 uses 1024 bits and group 5 uses a size of 1536-bit module. Group 7, where the field size curve elliptical 163 bits, is designed for faster calculation of the keys usually used by the Group 5 Pocket PC is the safest technique but more general treatment. The syntax for setting up PFS is
card crypto-name of the seq - num map set pfs {group1: group2 | group5 | work.7}
This is the optional command
If useful rates
-
AnyConnect and SSL - VPN without client
Are there problems in running Cisco AnyConnect and SSL - VPN without client side by side?
I am currently looking into adding features for an ASA AnyConnect who currently set up to operate without SSL - VPN client. The system without client is not removed. I don't know how to set it up, I wonder if someone has already set up this or if there is no problem with this Setup?
Hi Daniel
It's a little complicated if you want a granular authentication and authorization, but it works.
I'm running an ASA with IPSec, SSL Client and clientless SSL.
Each of these virtual private networks with user/one-time-password name and certificate based authentic.
The main challenge is to put in place its own structure of profile cards, connection profiles, group policies and dynamic access policies.
Feel free to ask questions...
Stephan
-
I need to disable my Creative Suite license on another computer in order to activate it on a new computer, but the old computer crashed and I can't use it. Is it possible to deactivate the license on the old computer without using it?
you are allowed two facilities, activations, you should may not disable before activating on your new computer.
But if you don't, contact adobe for hourly pst support by clicking here and, when available, click on "still need help," https://helpx.adobe.com/contact.html. Ask a county of activation reset.
-
I need to KNOW for the firewall of the firepower of ASA for the Site to site VPN sessions or client sessions vpn site need no license.
The ASA 5516 X (with or without fire power module) is fully approved for IPsec site-to-site VPN until the capacity of the equipment (300 for this platform).
"customer site" or to speak (if SSL or IPsec IKEv2) VPN remote access, require licenses AnyConnect. There are 2 Premium / Apex licenses included with all the ASAs which are there mainly to test the feature.
If you want to set up for multiple users, you can buy AnyConnect. Currently, it is available in two versions - more and Apex. More is a base of remote access VPN and the client must be installed on the end user's computer. Apex is the top version with many more advanced features and may possibly be used to configure clientless SSL VPN by which the end user only needs a browser.
Visit the AnyConnect product information pages for many more details.
-
VPN site-to-site between ASA 5505 and 2911
Hi all
I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.
2911 config:
!
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 2911
!
boot-start-marker
Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin
boot-end-marker
!
!
Min-length 10 Security passwords
logging buffered 51200 warnings
!
No aaa new-model
!
!
min-threshold queue spd IPv6 62
Max-threshold queue spd IPv6 63
No ipv6 cef
the 5 IP auth-proxy max-login-attempts
max-login-attempts of the IP 5 admission
!
!
!
DHCP excluded-address IP 192.168.10.1 192.168.10.99
DHCP excluded-address IP 192.168.22.1 192.168.22.99
DHCP excluded-address IP 192.168.33.1 192.168.33.99
DHCP excluded-address IP 192.168.44.1 192.168.44.99
DHCP excluded-address IP 192.168.55.1 192.168.55.99
192.168.10.240 IP dhcp excluded-address 192.168.10.254
DHCP excluded-address IP 192.168.22.240 192.168.22.254
DHCP excluded-address IP 192.168.33.240 192.168.33.254
DHCP excluded-address IP 192.168.44.240 192.168.44.254
DHCP excluded-address IP 192.168.55.240 192.168.55.254
!
desktop IP dhcp pool
import all
network 192.168.33.0 255.255.255.0
router by default - 192.168.33.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
wi - fi IP dhcp pool
import all
network 192.168.44.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.44.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
DMZ IP dhcp pool
import all
network 192.168.55.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.55.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.22.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
!
IP domain name of domain
name-server IP 192.168.10.10
IP cef
connection-for block 180 tent 3-180
Timeout 10
VLAN ifdescr detail
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-3956567439
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3956567439
revocation checking no
rsakeypair TP-self-signed-3956567439
!
!
TP-self-signed-3956567439 crypto pki certificate chain
certificate self-signed 01 nvram:IOS - Self-Sig #1.cer
license udi pid sn CISCO2911/K9
!
!
the FULL_NET object-group network
full range of the network Description
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description without servers and router network
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
VTP version 2
password username admin privilege 0 password 7
!
redundancy
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
ISAKMP crypto key admin address b.b.b.b
invalid-spi-recovery crypto ISAKMP
!
!
Crypto ipsec transform-set esp - aes esp-sha-hmac SET
!
!
!
10 map ipsec-isakmp crypto map
the value of b.b.b.b peer
Set transform-set
match address 160
!
!
!
!
!
Interface Port - Channel 1
no ip address
waiting-150 to
!
Interface Port - channel1.1
encapsulation dot1Q 1 native
IP 192.168.11.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.10
encapsulation dot1Q 10
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.22
encapsulation dot1Q 22
IP 192.168.22.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.33
encapsulation dot1Q 33
IP 192.168.33.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.44
encapsulation dot1Q 44
IP 192.168.44.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.55
encapsulation dot1Q 55
IP 192.168.55.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/2
Description $ES_LAN$
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/0/0
IP address a.a.a.a 255.255.255.224
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
crypto map
!
IP forward-Protocol ND
!
no ip address of the http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0
IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
NAT_INTERNET extended IP access list
refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255
refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255
permit ip FULL_NET object-group everything
!
access-list 1 permit 192.168.44.100
access-list 23 allow 192.168.10.7
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
control plan
!
!
!
Line con 0
password password 7
opening of session
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
local connection
entry ssh transport
line vty 5 15
access-class 23 in
privilege level 15
local connection
entry ssh transport
!
Scheduler allocate 20000 1000
!
end
The ASA config:
: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1 no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable
ASA:
# show crypto ipsec his
There is no ipsec security associations
# show crypto isakmp his
There are no SAs IKEv1
There are no SAs IKEv2
2911:
#show crypto ipsec his
Interface: GigabitEthernet0/0/0
Tag crypto map: map, addr a.a.a.a local
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors of #send 4, #recv errors 0
local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More-
-More - out ah sas:
-More-
-More - out CFP sas:
Thanks for your time,
Nick
Please add
map Office 2 set transform-set OFFICE ikev1 crypto
If it is not helpful, please enable debug crypto ipsec 255 and paste here.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Maybe you are looking for
-
Y40 elan touchpad two finger click right does not work in Win 8.1 64 bit
-
"Write failed" error message during shutdown began after you download Explorer 8 and then remove Explorer 8. How can I get rid of him?
-
Omni 27-1055: omni 27-1055
How to use my omni 27-1055 like a TV using the coaxial cable connection that comes with it. I tried using the remote, but he could not change the PC mode to TV mode.
-
Display only the last 4 digits of a set of numbers?
HelloIs there a way where I can limit the characters to shoot only in the last digits of the 4 digits instead the first 4 of a set of numbers? I did the character limit, but he shoots only in the first 4 characters. Any help is appreciated! Thank y
-
Impossible to update to 11.0.14 - install error 1301 (Mac/El Capitan)
I upgraded to El Capitan, last week, and now the last update of Acrobat will not work. Screenshot of error below. Ideas?