in a cluster of vpn config sync

Hi people,

does anyone know how two concentrators vpn 3030 with VRRP active synchronize their configuration? I've yet to find a docu. I guess he's working on VRRP advertisements. I don't think, if you configure a secure connection, you need to do synchronization when backing up by hand. Go automatic.

TKS in advance

Thomas

Yes, you must manually configure both systems. We all feel your pain. In fact, someone asked for the feature accurate that you are looking for, shown in bug CSCdv88787request. He has been in a looooong long and (obviously) still is not implemented. So don't hold your breath.

HTH,

Mike

Tags: Cisco Security

Similar Questions

  • Need Extra pair of eyes to look over the VPN config question...

    I have a 515 and 3 501. I have currently 2 VPN works well. I'm having a bit of time lift the 3rd VPN. I check that the same key is used for both configs. I know I'm missing something simple here, but I can't see it...

    515:

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 security10 intf2

    ...

    hostname YRPCI

    domain xxxx.com

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    fixup protocol http-8080

    fixup protocol ftp 22

    names of

    name x.x.71.8 ConstOffice

    name x.x.81.11 BftOffice

    MainOffice x.x.71.7 name (this is the local device)

    name x.x.152.238 Savannah

    allow the ip host 192.168.50.10 access list acl_outbound a

    allow the ip host 192.168.50.75 access list acl_outbound a

    allow the ip host 192.168.50.201 access list acl_outbound a

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq smtp

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq pop3

    acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.51.0

    acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.52.0

    acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 host 192.168.53.0

    access-list acl_outbound allow the host tcp 192.168.50.11 a

    acl_inbound list access permit tcp any host MainOffice eq 3389

    acl_inbound list access permit icmp any any echo response

    access-list acl_inbound allow icmp all once exceed

    acl_inbound list all permitted access all unreachable icmp

    allow the ip host MainOffice one access list acl_inbound

    acl_inbound list access permit tcp any any eq ssh

    acl_inbound list access permit tcp any host pop3 eq MainOffice

    acl_inbound list access permit tcp any host MainOffice eq smtp

    access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

    access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

    access-list 100 permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

    access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0

    access-list 102 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

    access-list 103 allow ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0

    pager lines 24

    interface ethernet0 car

    Auto interface ethernet1

    Automatic stop of interface ethernet2

    ICMP allow any echo outdoors

    ICMP allow any inaccessible outside

    Outside 1500 MTU

    Within 1500 MTU

    intf2 MTU 1500

    IP address outside pppoe setroute

    IP address inside 192.168.50.1 255.255.255.0

    intf2 IP address 127.0.0.1 255.255.255.255

    alarm action IP verification of information

    alarm action attack IP audit

    don't allow no history of pdm

    ARP timeout 14400

    Global interface 2 (external)

    NAT (inside) - 0 100 access list

    NAT (inside) 2 192.168.50.0 255.255.255.0 0 0

    static (inside, outside) MainOffice 3389 192.168.50.75 tcp 3389 netmask 255.255.255.255 0 0

    static (inside, outside) tcp MainOffice 192.168.50.11 pop3 pop3 netmask 255.255.255.255 0 0

    static (inside, outside) tcp smtp MainOffice 192.168.50.11 smtp netmask 255.255.255.255 0 0

    Access-group acl_inbound in interface outside

    acl_outbound access to the interface inside group

    ...

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-sha-hmac RIGHT

    VPN1 card crypto ipsec-isakmp 10

    correspondence address 10 card crypto vpn1 102

    card crypto vpn1 pfs set 10 group2

    card crypto vpn1 together 10 peer ConstOffice

    card crypto vpn1 10 set transform-set RIGHT

    vpn1 20 ipsec-isakmp crypto map

    correspondence address 20 card crypto vpn1 101

    card crypto vpn1 pfs set 20 group2

    20 card crypto vpn1 peer BftOffice game

    card crypto vpn1 20 set transform-set RIGHT

    vpn1 30 ipsec-isakmp crypto map

    correspondence address 30 card crypto vpn1 103

    card crypto vpn1 pfs set 30 group2

    30 card crypto vpn1 peer Savannah game

    card crypto vpn1 30 set transform-set RIGHT

    vpn1 outside crypto map interface

    ISAKMP allows outside

    ISAKMP key * address ConstOffice netmask 255.255.255.255

    ISAKMP key * address BftOffice netmask 255.255.255.255

    ISAKMP key * address netmask 255.255.255.255 Savannah

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    encryption of ISAKMP policy 10

    ISAKMP policy 10 sha hash

    10 1 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH 192.168.50.0 255.255.255.0 inside

    SSH timeout 20

    VPDN group pppoex request dialout pppoe

    VPDN group localname yearround1 pppoex

    VPDN group ppp authentication pap pppoex

    VPDN username yearround1 password *.

    Terminal width 80

    Cryptochecksum:849d6fdb066c58cf7cfe868b6109145c

    : end

    501: (VPN is not working)

    6.2 (2) version PIX

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    Select 7RD3DIuHCed/Bft9 of encrypted password

    7RD3DIuHCed/Bft9 of encrypted passwd

    Savannah hostname

    domain yrpci.com

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol they 389

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    name x.x.152.238 Savannah

    name x.x.71.7 MainOffice

    acl_outbound ip 192.168.53.0 access list allow 255.255.255.0 any

    acl_outbound list of allowed access host ip MainOffice 192.168.53.0 255.255.255.0

    acl_inbound list access permit icmp any any echo response

    access-list acl_inbound allow icmp all once exceed

    acl_inbound list all permitted access all unreachable icmp

    acl_inbound of the x.x.152.0 255.255.252.0 ip access list permit 192.168.50.0 255.255.255.0

    access-list 101 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0

    access-list 101 permit ip host Savannah 192.168.50.0 255.255.255.0

    pager lines 24

    interface ethernet0 10baset

    interface ethernet1 10full

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside dhcp setroute

    IP address inside 192.168.53.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    PDM logging 100 information

    don't allow no history of pdm

    ARP timeout 14400

    Global 1 interface (outside)

    (Inside) NAT 0-list of access 101

    NAT (inside) 1 192.168.53.0 255.255.255.0 0 0

    Access-group acl_inbound in interface outside

    acl_outbound access to the interface inside group

    allow icmp a conduit

    Route outside 0.0.0.0 0.0.0.0 x.x.152.1 1

    ...

    Permitted connection ipsec sysopt

    No sysopt route dnat

    Crypto ipsec transform-set esp - esp-sha-hmac RIGHT

    vpn1 30 ipsec-isakmp crypto map

    correspondence address 30 card crypto vpn1 101

    card crypto vpn1 pfs set 30 group2

    30 card crypto peer MainOffice vpn1 game

    card crypto vpn1 30 set transform-set RIGHT

    ISAKMP allows outside

    ISAKMP key * address MainOffice netmask 255.255.255.255

    ISAKMP identity address

    part of pre authentication ISAKMP policy 10

    encryption of ISAKMP policy 10

    ISAKMP policy 10 sha hash

    10 1 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    Telnet 192.168.53.0 255.255.255.0 inside

    Telnet timeout 5

    SSH 0.0.0.0 0.0.0.0 outdoors

    SSH timeout 20

    dhcpd address 192.168.53.55 - 192.168.53.60 inside

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    dhcpd allow inside

    Terminal width 80

    Cryptochecksum:57589b8bf8636b0a7f8a2d5a5e582649

    : end

    Thanks for your help in advance guys.

    Dave

    I think the following should be added to the config of the 501

    vpn1 outside crypto map interface

  • PIX 515E v7 VPN config help

    Hello

    I have a PIX 515E current of execution to 7.

    Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

    I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

    I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

    Is there a way to fix this?

    Any help appreciated gratefully.

    apply the commands below:

    ISAKMP identity address

    ISAKMP nat-traversal 20

    If the problem persists, then please post the entire config with ip hidden public.

  • PIX 515 VPN config help

    I was working on the creation of a PIX 515e to serve my firewall and VPN. The firewall and main routing work well as I am able to VPN and get an IP address. However, I am unable to remote desktop on a PC behind the firewall.

    Here is my config as I have now. If someone could show me what I'm missing, would be great.

    Firewall # sh run
    : Saved
    :
    PIX Version 7.2 (3)
    !
    Firewall host name
    DOMAINNAME.COM domain name
    activate r9tt5TvvX00Om3tg encrypted password
    names of
    !
    interface Ethernet0
    PPPoE Interface Description
    nameif outside
    security-level 0
    PPPoE client vpdn group pppoe
    63.115.220.5 255.255.255.255 IP address pppoe setroute
    !
    interface Ethernet1
    Description network internal
    nameif inside
    security-level 100
    the IP 192.168.0.1 255.255.255.0
    !
    interface Ethernet2
    DMZ Interface Description
    nameif DMZ
    security-level 50
    IP 10.1.48.1 255.255.252.0
    !
    2KFQnbNIdI.2KYOU encrypted passwd
    passive FTP mode
    clock timezone STD - 7
    clock to summer time recurring MDT
    DNS server-group DefaultDNS
    domain ivanwindon.ghpstudios.com
    object-group service remote tcp - udp
    Description Office remotely
    3389 3389 port-object range
    standard access list vpn_client_splitTunnelAcl allow a
    inside_nat0_outbound list of allowed ip extended access any 192.168.0.192 255.255.255.192
    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.0.96 255.255.255.240
    access-list Local_LAN_Access Note Local LAN access
    Local_LAN_Access list standard access allowed host 0.0.0.0
    outside_cryptomap_65535.20 deny ip extended access list a whole
    access-list 102 extended allow ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
    vpn_client_splitTunnelAcl_1 list standard access allowed 192.168.0.0 255.255.255.0
    inside_access_in list extended access permit tcp any eq 3389 3389 any eq
    pager lines 24
    Enable logging
    information recording console
    registration of information monitor
    logging trap information
    asdm of logging of information
    address record [email protected] / * /
    exploitation forest-address recipient [email protected] / * / level of errors
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 DMZ
    IP local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image Flash: / asdm - 523.bin
    enable ASDM history
    ARP timeout 14400
    Overall 101 (external) interface
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 101 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 207.225.112.2 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    AAA authentication LOCAL telnet console
    Enable http server
    http 192.168.0.4 255.255.255.255 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto-map dynamic outside_dyn_map 20 set pfs
    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
    Crypto-map dynamic outside_dyn_map 20 the value reverse-road
    PFS set 40 crypto dynamic-map outside_dyn_map
    Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP disconnect - notify
    Telnet 192.168.0.4 255.255.255.255 inside
    Telnet timeout 5
    SSH timeout 5
    Console timeout 0
    VPDN group request dialout pppoe pppoe
    VPDN group pppoe localname [email protected] / * /
    VPDN group pppoe ppp authentication chap
    VPDN username username password *.
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd lease 1500
    dhcpd ping_timeout 10
    NAME of domain domain dhcpd
    dhcpd auto_config off vpnclient-wins-override
    dhcpd option 3 ip 192.168.0.1
    !
    dhcpd address 192.168.0.5 - 192.168.0.49 inside
    dhcpd dns 208.67.222.222 208.67.220.220 interface inside
    dhcpd lease interface 1500 inside
    interface ping_timeout 10 dhcpd inside
    dhcpd DOMAIN domain name inside interface
    dhcpd 192.168.0.1 ip interface option 3 inside
    dhcpd allow inside
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the netbios
    inspect the rsh
    inspect the rtsp
    inspect the skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect the sip
    inspect xdmcp
    !
    global service-policy global_policy
    TFTP server inside 192.168.0.4/TFTP-Root
    internal vpn_client group policy
    attributes of the strategy of group vpn_client
    value of server DNS 208.67.222.222 208.67.220.220
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list vpn_client_splitTunnelAcl_1
    value by default-domain DomainName
    admin I727P4FvcUV4IZGC encrypted privilege 15 password username
    username ivanwindon encrypted password privilege 0 7K5PuGcBwHggqgCD
    username ivanwindon attributes
    VPN-group-policy vpn_client
    tunnel-group vpn_client type ipsec-ra
    tunnel-group vpn_client General-attributes
    address vpn_pool pool
    Group Policy - by default-vpn_client
    vpn_client group of tunnel ipsec-attributes
    pre-shared-key *.
    96.125.164.139 SMTP server
    context of prompt hostname
    Cryptochecksum:48fdc775b2330699db8fc41493a2767c
    : end
    Firewall #.

    Ivan Windon

    Sent by Cisco Support technique iPad App

    Hello

    I had first change in the pool of VPN Client to something other than the LAN

    As 192.168.1.0/24

    NAT0

    • Adding NAT0 rule for the new pool and then removing the 'old'

    permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0

    no access list inside_nat0_outbound extended permits all ip 192.168.0.192 255.255.255.192

    No inside_nat0_outbound extended access list only to allowed ip 192.168.0.0 255.255.255.0 192.168.0.96 255.255.255.240

    VPN Client pool

    • Remove the old group "tunnel-group" configurations, then removing the pool, make a new pool, and finally configure the pool to group "tunnel".

    tunnel-group vpn_client General-attributes

    No address vpn_pool pool

    no ip local pool vpn_pool 192.168.0.100 - 192.168.0.105 mask 255.255.255.0

    IP local pool vpn_pool 192.168.1.100 - 192.168.1.105 mask 255.255.255.0

    tunnel-group vpn_client General-attributes

    address vpn_pool pool

    Theres another thread with a similar problem (even if the settings appear to be correct) on the forums.

    If you can't get the RDP connection works I would also maybe Google for UltraVNC and its installation on the host LAN and your VPN Client and trying to connect with him to determine that the Client VPN configurations are all ok. There were problems that were ultimately associated with the LAN host rather than the VPN Client configurations.

    If you think that his need. Save your settings before making any changes.

    -Jouni

  • 1760 router VPN Config request

    Hello

    I want to program a router 1760V to support VPN remote 3DES IPSEC to support approximately 5 Cisco VPN clients on the Internet. I will appreciate if you have a config for it.

    Thank you

    -Nasser.

    It is an example of configuring ipsec router to router and client:

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094685.shtml

    Example for EasyVPN, CVPN client to the router:

    http://www.Cisco.com/warp/public/732/tech/security/IPSec/docs/ClientServer.PDF

    Kind regards

    Mustafa

  • RV042G REMOTE ACCESS VPN Config Shrew Soft

    Hello

    I am trying to set up a VPN with IPSEC remote access, I have a router Cisco Small Business RV042G. I have managed to connect with the QuickVPN client using a previously created user. I also managed to establish a connection with the TheGreenBow pre-shared key customer with customer authentication by IP address or by mail. Exactly the same method I managed with the Shrew Soft VPN Client. I would like to Shrew Soft VPN with only establish a connection with the nicknames as if only the pre-shared key is used all over the world can access VPN set up on this computer.

    To sum it up can you tell me what configuration must be put to use the identification of the user only with the Shrew Soft VPN Client?

    Thank you very much.

    Hello

    Usually it is used Mutual PSK + XAuth, when you want to set up user and password, outside the pre-shared key authentication.

    But RV042G don't support XAuth, which means that you can not create a separate user/pass to connect VPN Shrew.

    Kind regards

    Bismuth

  • How to add more than one VPN in an existing VPN config

    Dear team

    I would like to ask your help fast... am not a Cisco guru, but I would like to know if I can get help on how to add a VPN to an existing one. My company already implemented a VPN site to site with a dealer or partners where they are or sharing some data them and make transactions, but the question is, I am now about to add 2 several other company so that I can create another tunnel VPN to each of them without risk of breakage or unplug the old one that is running. How can I do, can someone help me to implement it?

    Thanks in advance for your help.

    use Cisco 1841 version 7.

    1. now I want to know, is who should I ask for an IP access list? Should I create or I have to ask my partner to put it for me so I can put it in.

    The access list consists of the IP / subnets on your local network and the Remote LAN.  If the source of the ACL will be your local LAN and destination will be the Remote LAN.

    access-list 101 extended allow ip

    2. is the name given by my partner transfer or I have to create it myself.

    The name of game of transformation is locally important.  However, it specifies the encryption standards 2 phase so this part will have to be coordinated with the peer.

    Crypto ipsec transform-set RIGHT aes - esp esp-sha-hmac

    in the foregoing turn together, RIGHT is just a big local name so you can reference it in a card encryption.  ESP esp-ae-sha-hmac is the part of encryption that should be agreed between you and your counterpart. According to the image that you posted would use you esp-3des esp-sha-hmac.

    3. because I see that the strategy of the first customer VPN (partner) is set on 10 policy should I do also each VPN on 10 policy or the policy number is not serious.

    The policy number is a sequence number and is matched in a top to bottom fashion until a match is found.  If no match is found, then Phase 1 will not end and establish the tunnel.  This is important if you have several peers and some of them use different phase 1 settings.  If this is the case, you will need to use different sequence for each policy numbers.

    4. I have also seen that we have life time security association 2 phases one to use?

    Both are used, and they are both at their default values, you don't need to do any configuration for those.

    --

    Please do not forget to select a correct answer and rate useful posts

  • Help without NAT and VPN Config DMZ.

    Before VPN, we miss with 'nonatdmz '. Recently, we tried to implement the solution VPN using "VPNRA".

    ASA IOS would only you are using a "NAT 0" at a time, how do you get around that.

    TIA

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

    Access extensive list ip 172.0.0.0 VPNRA allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access VPNRA

    You can add several lines to you nonatdmz access-list: for example:

    nonatdmz list of allowed ip extended access any 192.168.100.0 255.255.255.0

    access extensive list ip 172.0.0.0 nonatdmz allow 255.0.0.0 10.17.70.0 255.255.255.0

    NAT (inside) 0-list of access nonatdmz

  • Concentrator VPN config ASA

    Hello;

    Is there a document (s) that describes the steps to migrate the configuration of VPN concentrator to ASA?

    Thank you

    I think that there may be another link there not sure, if I remember seeing any other backwards.

    http://www.Cisco.com/en/us/docs/security/ASA/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html

  • VPN Config after PIX of the utility of Conversion of ASA

    After that I ran the PIX of the Conversion of the ASA tool he changed my key was she in a single asterisk.  It will work or did the utility BUMBLE?  Here is an example:

    xxx.117.34.5 tunnel ipsec-attributes group

    pre-shared-key *.

    Thank you

    Thomas

    Thomas,

    I've never used it, but if you want to check the following command on the SAA isue.

    more: the execution of the system-config

    If you still see asterisks with this command key must then be reinstated. Otherwise, you should see the real keys.

    I hope this helps.

    Raga

  • Problem with the VPN site to site for the two cisco asa 5505

    Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

    Cisco Config asa1

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 172.xxx.xx.4 255.255.240.0
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.60.2 255.255.255.0
    !
    passive FTP mode
    network of the Lan_Outside object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
    network of the Lan_Outside object
    NAT (inside, outside) interface dynamic dns
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.60.0 255.255.255.0 inside
    http 96.xx.xx.222 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 96.88.75.222
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    inside access management

    dhcpd address 192.168.60.50 - 192.168.60.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_96.xx.xx.222 group strategy
    attributes of Group Policy GroupPolicy_96.xx.xx.222
    VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 96.xx.xx.222 type ipsec-l2l
    tunnel-group 96.xx.xx.222 General-attributes
    Group - default policy - GroupPolicy_96.xx.xx.222
    96.XX.XX.222 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Cisco ASA 2 config

    interface Ethernet0/0
    switchport access vlan 1
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Vlan1
    nameif outside
    security-level 0
    IP address 96.xx.xx.222 255.255.255.248
    !
    interface Vlan2
    nameif inside
    security-level 100
    IP 192.168.1.254 255.255.255.0
    !
    passive FTP mode
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    network of the Lan_Outside object
    subnet 192.168.1.0 255.255.255.0
    network of the NETWORK_OBJ_192.168.60.0_24 object
    192.168.60.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_192.168.1.0_24 object
    subnet 192.168.1.0 255.255.255.0
    object-group Protocol DM_INLINE_PROTOCOL_1
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_2
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_3
    ip protocol object
    icmp protocol object
    object-group Protocol DM_INLINE_PROTOCOL_4
    ip protocol object
    icmp protocol object
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
    Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
    Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
    Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
    !
    network of the Lan_Outside object
    dynamic NAT (all, outside) interface
    Access-group Outside_access_in in interface outside
    Inside_access_in access to the interface inside group
    Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    http 172.xxx.xx.4 255.255.255.255 outside
    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto Outside_map 1 corresponds to the address Outside_cryptomap
    card crypto Outside_map 1 set peer 172.110.74.4
    card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    Outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH stricthostkeycheck
    SSH timeout 5
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0

    dhcpd address 192.168.1.50 - 192.168.1.100 inside
    dhcpd allow inside
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    WebVPN
    AnyConnect essentials
    internal GroupPolicy_172.xxx.xx.4 group strategy
    attributes of Group Policy GroupPolicy_172.xxx.xx.4
    L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
    username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
    tunnel-group 172.xxx.xx.4 type ipsec-l2l
    tunnel-group 172.xxx.xx.4 General-attributes
    Group - default policy - GroupPolicy_172.xxx.xx.4
    172.xxx.XX.4 group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    inspect the icmp error
    inspect the http

    For IKEv2 configuration: (example config, you can change to encryption, group,...)

    -You must add the declaration of exemption nat (see previous answer).

    -set your encryption domain ACLs:

    access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

    -Set the Phase 1:

    Crypto ikev2 allow outside
    IKEv2 crypto policy 10
    3des encryption
    the sha md5 integrity
    Group 5
    FRP sha
    second life 86400

    -Set the Phase 2:

    Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
    Esp aes encryption protocol
    Esp integrity sha-1 protocol

    -set the Group of tunnel

    tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
    REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
    IKEv2 authentication remote pre-shared-key cisco123


    IKEv2 authentication local pre-shared-key cisco123

    -Define the encryption card

    address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
    card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
    card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
    CRYPTOMAP interface card crypto outside
    crypto isakmp identity address

    On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

    Thank you

  • How to create a VPN file .pcf for the CISCO VPN CLIENT software profile

    Dear all

    How to create a VPN file .pcf for the CISCO VPN CLIENT software profile

    Concerning

    Hi Imran,

    Can't do much about that because it depends on what authenticate you the VPN server and how the settings. But let me introduce you to the memory layout. Once you install and open a VPN client. Press it again and it opens up a new page for the VPN config.

    Example of configuration as it is attached. But it differs depending on the configuration of your vpn server.

    Once you create and save this profile. Your FCP file is stored.

    Please assess whether the information provided is useful.

    By

    Knockaert

  • Remote access VPN Client to PIX, DNS issue

    Hi all.  I searched on this, but I can't find my answer.

    I set up a VPN connection to a PIX Firewall (running the version 8.0 (4)) for my business.  The VPN connection works correctly, in that I can connect to it using my software (v 5.0.02.0090) Cisco VPN Client and ping servers/resources internal IP address. However, if I try to ping by host name, it does not resolve to an IP address.  If I open a command prompt on my PC and type ipconfig/all, there are no DNS servers for my VPN, just for my normal Intel NIC adapter - I think I should have a DNS server listed under the map of VPN, right?  Here is the relevant (I think) for the VPN config lines:

    8.0 (4) version PIX

    domain xx.xx

    DNS lookup field inside

    DNS server-group DefaultDNS

    Server name 192.168.20.23

    domain xx.xx

    IP local pool vpnpoolIT 10.10.8.2 - 10.10.8.254 mask 255.255.255.0

    Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet

    Crypto-map dynamic dyn1 1jeu transform-set FirstSet

    Crypto-map dynamic dyn1 1 lifetime of security association set seconds 28800

    Crypto-map dynamic dyn1 kilobytes of life 1 set security-association 4608000

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    tunnel-group ITGroup type remote access

    tunnel-group ITGroup General attributes

    address vpnpoolIT pool

    Group-RADIUS authentication server

    tunnel-group ITGroup ipsec-attributes

    pre-shared-key *.

    Am I missing?  I can solve the DNS on the PIX itself requests.

    All the info I can find online is for an older version of the PIX software which says that I should enter the vpngroup dns- IP address of the server command, but this command is not available in my version of the software.

    Hello

    To set a DNS server to be injected into the VPN clients when they connect, you can do the following:

    This is the tunnel-group where lands the remote connection:

    tunnel-group ITGroup type remote access

    tunnel-group ITGroup General attributes

    address vpnpoolIT pool

    Group-RADIUS authentication server

    tunnel-group ITGroup ipsec-attributes

    pre-shared-key *.

    For example, create a group policy:

    internal VPN group policy
    attributes of VPN group policy

    DNS value--> x.x.x.x where x.x.x.x is the IP address of the DNS server

    Then, apply the group policy for the Group of tunnel:

    tunnel-group ITGroup General attributes

    Group Policy - by default-VPN

    It will be useful.

    Federico.

  • S - S VPN between ASA and ASR1001

    Hello

    We have 2 routers ASR to connected to ISP headquarters and there are new remote sites that must be connected to the AC over the site to site VPN. Each remote branch will be ASA, IPs outside of these two recommendations are in the same subnet.

    1. is it possible to reach redudancy beside HQ in this design?

    2. can I create L2L tunnels to two ASR? If yes how can I do 1 active tunnel and other secondary?

    | ASR1

    Users---L3SW---ASA---ISP---CPE---|

    | ASR2

    Any suggestions are welcome

    Thank you

    There are two ways:

    1. IPSec stateful failover
      http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_vpnav/configuration/15-Mt/sec-VPN-availability-15-Mt-book/Sec-State-fail-IPSec.html
      http://packetlife.net/blog/2009/Aug/17/fun-IPSec-stateful-failover/
    2. VPN config with two counterparts one ASA.
      Here you have two individual bridges on the HQ and the ASA has two tunnel-groups en the two bridges but only a single sequence in the crypto plan. Peer education has two HQ - IPs configured.
  • VPN gateway with the traffic filtering

    I work in his laboratory on a configuration on a small scale in which client PC establishes an IPSEC VPN with Cisco 1921 router, I have two questions in this regard.

    (1) for wireless PC clients, uses an IPSEC VPN Client the best option or should I prefer other options. wireless clients also use Radius Server for authentication.

    (2) I want to make sure no other traffic can reach or pass the interface of local network other than the VPN Client traffic, I need to set up on the router to make sure that no other traffic cannot pass other than traffic APV.

    First: The real IPsec VPN client is the AnyConnect. The VPN-config for AnyConnect (especially for IPsec) gateway on the router IOS is much more difficult, so it's on the SAA. If you still have the possibility of changing the front doors, then go for a SAA. It is also much cheaper from a perspective of license given that no license of AnyConnect Essentials for the router. The Cisco VPN Client to the traditional address is EOL and should not begin a new deployment on this basis.

    Your questions:

    (1) all VPN - users should be authenticated in some way. Send the request to a central directory authentication is a best practice and usually done with RADIUS. In addition to authentication, you can also perform an authorization to control what rights Gets a VPN user.

    (2) If you only want to allow IPsec traffic, you must configure an access list, a permit for UDP/500, UDP/4500 and IP/50 of your router IP. With this config, all other traffic will be dropped.

Maybe you are looking for