Install two the separate IPSec VPNS on ASA 5505

Similar Questions

• Problem with IPsec VPN between ASA and router Cisco - ping is not response

  Hello

  I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):

  my network topology data:

  LAN 1 connect ASA - 1 (inside the LAN)

  PC - 10.0.1.3 255.255.255.0 10.0.1.1

  ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0

  -----------------------------------------------------------------

  ASA - 1 Connect (LAN outide) R1

  ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252

  R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252

  ---------------------------------------------------------------------

  R1 R2 to connect

  R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252

  R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252

  R2 for lan connection 2

  --------------------------------------------------------------------

  R2 to connect LAN2

  R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0

  PC - 10.0.2.3 255.255.255.0 10.0.2.1

  ASA configuration:

  1 GigabitEthernet interface
  nameif inside
  security-level 100
  IP 10.0.1.1 255.255.255.0
  no downtime
  interface GigabitEthernet 0
  nameif outside
  security-level 0
  IP 172.30.1.2 255.255.255.252
  no downtime
  Route outside 0.0.0.0 0.0.0.0 172.30.1.1

  ------------------------------------------------------------

  access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
  object obj LAN
  subnet 10.0.1.0 255.255.255.0
  object obj remote network
  10.0.2.0 subnet 255.255.255.0
  NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static

  -----------------------------------------------------------
  IKEv1 crypto policy 10
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 3600
  Crypto ikev1 allow outside
  crypto isakmp identity address

  ------------------------------------------------------------
  tunnel-group 172.30.2.2 type ipsec-l2l
  tunnel-group 172.30.2.2 ipsec-attributes
  IKEv1 pre-shared-key cisco123
  Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1

  -------------------------------------------------------------
  card crypto ASA1VPN 10 is the LAN1 to LAN2 address
  card crypto ASA1VPN 10 set peer 172.30.2.2
  card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
  card crypto ASA1VPN set 10 security-association life seconds 3600
  ASA1VPN interface card crypto outside

  R2 configuration:

  interface fastEthernet 0/0
  IP 10.0.2.1 255.255.255.0
  no downtime
  interface fastEthernet 0/1
  IP 172.30.2.2 255.255.255.252
  no downtime

  -----------------------------------------------------

  router RIP
  version 2
  Network 10.0.2.0
  network 172.30.2.0

  ------------------------------------------------------
  access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
  access-list 102 permit esp 172.30.1.2 host 172.30.2.2
  access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
  interface fastEthernet 0/1
  IP access-group 102 to

  ------------------------------------------------------
  crypto ISAKMP policy 110
  preshared authentication
  aes encryption
  sha hash
  Group 2
  life 42300

  ------------------------------------------------------
  ISAKMP crypto key cisco123 address 172.30.1.2

  -----------------------------------------------------
  Crypto ipsec transform-set esp - aes 128 R2TS

  ------------------------------------------------------

  access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

  ------------------------------------------------------

  R2VPN 10 ipsec-isakmp crypto map
  match address 101
  defined by peer 172.30.1.2
  PFS Group1 Set
  R2TS transformation game
  86400 seconds, life of security association set
  interface fastEthernet 0/1
  card crypto R2VPN

  I don't know what the problem

  Thank you

  If the RIP is not absolutely necessary for you, try adding the default route to R2:

  IP route 0.0.0.0 0.0.0.0 172.16.2.1

  If you want to use RIP much, add permissions ACL 102:

  access-list 102 permit udp any any eq 520

• IPSec vpn cisco asa and acs 5.1

  We have configured authentication ipsec vpn cisco asa acs 5.1:

  Here is the config in cisco vpn 5580:

  standard access list acltest allow 10.10.30.0 255.255.255.0

  RADIUS protocol AAA-server Gserver

  AAA-server host 10.1.8.10 Gserver (inside)

  Cisco key

  AAA-server host 10.1.8.11 Gserver (inside)

  Cisco key

  internal group gpTest strategy

  gpTest group policy attributes

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list acltest

  type tunnel-group test remote access

  tunnel-group test general attributes

  address localpool pool

  Group Policy - by default-gpTest

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  accounting-server-group Gserver

  IPSec-attributes of tunnel-group test

  pre-shared-key cisco123

  GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

  When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

  error:

  22040 wrong password or invalid shared secret

  (pls see picture to attach it)

  the system still works, but I don't know why, we get the error log.

  Thanks for any help you can provide!

  Duyen

  Hello Duyen,

  I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

  Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

  authentication-server-group LOCAL Gserver

  authorization-server-group Gserver

  As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

  Please remove the authorization under the Tunnel of Group:

  No authorization-server-group Gserver

  Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

  Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

  I hope this helps.

  Kind regards.

• IPSec VPN to asa 5520

  Hello

  First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.

  The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.

  I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.

  I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:

  4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry

  5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!

  6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF

  3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1

  6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)

  and this, in the journal of customer:

  Cisco Systems VPN Client Version 5.0.02.0090

  Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 5.1.2600 Service Pack 3

  24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "213.94.x.x".

  27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 213.94.x.x.

  28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x

  29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021

  Retransmit the last package!

  36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x

  37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

  39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014

  Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

  40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.

  Can you see what I'm doing wrong?

  Thank you

  Sam

  Pls add the following policy:

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  You can also run debug on the ASA:

  debugging cry isa

  debugging ipsec cry

  and retrieve debug output after trying to connect.

• Certificates for IPSEC vpn in ASA 8.0 clients

  Hello!

  I have configured MS CA and I have setup client vpn and ASA 7.0 make tunnel with certificates.

  Same configuration does not work with ASA 8.0 I get the error

  CRYPTO_PKI: Check whether an identical cert is

  already in the database...

  CRYPTO_PKI: looking for cert = d4bb2888, digest = handle

  B8 74 97 f3 bf 25 1 c e5 2nd e5 21 3rd d1 93 15 d6 |... t...%...! >....

  CRYPTO_PKI: Recording of Cert not found, return E_NOT_FOUND

  CRYPTO_PKI: Cert not found in the database.

  CRYPTO_PKI: Looking for suitable trustpoints...

  CRYPTO_PKI: Found a suitable trustpoint authenticated A1.

  CRYPTO_PKI (make trustedCerts list) CRYPTO_PKI:check_key_usage: KeyUsage Incorrect

  (40)

  CRYPTO_PKI: Validation of certificate: State failure: 1873. Any attempt of recovery

  If necessary revocation status

  ERROR: Certificate validation failed. Peer certificate's key usage is not valid, ser

  Number of the IAL: 250F3ECE0000000009AF, name of the object: cn = xxxxx, unit of organization = xxxx, o = xxxxx, c =

  XX

  CRYPTO_PKI: Certificate not validated

  Why the use of the key is invalid? What model of certificate must be used in MS in order to get a regular use of the key?

  The schooling of CA's Terminal.

  Thank you!

  The cert needs to have defined Digital Signature key usage.

  Don't know what models are available on MS, but it should be something like "User Ipsec" I guess.

  Make 8 ASA behave like ASA 7 (i.e. disable th control on the use of the key of the cert), configure:

  Crypto ca trustpoint

  ignore-ipsec-keyusage

• IP Phone/Android IPSEC VPN to ASA using AnyConnect

  With course of Blackberry support in our Organization, we are eager to implement, configure, and deploy a vpn to access remote ipsec Ikev2 of our ASA 5540 9.1 (5) 19 (license Premium VPN) for the iphone and android.

  Was so fair to ask is - it possible, if it is possible, what is the best approach to take, and if someone has a recommended best practices?

  And do we need to purchase several licenses for AnyConnect for Mobile?

  As looked at loads of documentation, but have I just more confused.

  So, any help much appreciated.

  Thank you

  NESSIE

  Hi Nessie,

  Please visit the link for more details below:

  http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...

  Link below shows the license you need for ASA for anyconnect on mobile devices.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• IPSec VPN between ASAs with same subnet for disaster recovery

  Hello

  I need some clarification from you guys.

  To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.

  Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.

  For the DR we use Double-Take software.

  What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the

  DR and not real which is the same as on the main site.

  So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?

  I hope someone can confirm this.

  I can confirm that this will work certainly,

  for prior type natting see 8.3:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag

  for 8.3 and later it is also achievable.

• Site to Site VPN problem ASA 5505

  Hello

  I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.

  For some reason, I can access the remote network of only two of the three internal networkls that I've specified.

  Here is a copy of my config - if anyone has any info I would be happy of course.

  Thank you

  Kevin

  FK - U host name. S. - Raleigh - ASA
  domain appdrugs.com
  activate 08PI8zPL2UE41XdH encrypted password
  2KFQnbNIdI.2KYOU encrypted passwd
  names of
  name Maridian-primary-Net 192.168.237.0
  Meridian-backup-Net 192.168.237.128 name
  name 10.239.192.141 AccessSwitch1IDFB
  name 10.239.192.143 AccessSwitch1IDFC
  name 10.239.192.140 AccessSwitch1MDFA
  name 10.239.192.142 AccessSwitch2IDFB
  name CiscoCallManager 10.195.64.206
  name 10.239.192.2 CoreSwitch1
  name 10.239.192.3 CoreSwitch2
  name 10.195.64.17 UnityVM
  name 140.239.116.162 Outside_Interface
  name 65.118.69.251 Meridian-primary-VPN
  name 65.123.23.194 Meridian_Backup_VPN
  DNS-guard
  !
  interface Ethernet0/0
  Shutdown
  No nameif
  security-level 100
  no ip address
  !
  interface Ethernet0/1
  nameif outside
  security-level 60
  address IP Outside_Interface 255.255.255.224
  !
  interface Ethernet0/2
  nameif Inside1
  security-level 100
  IP 10.239.192.7 255.255.255.128
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 50
  IP 192.168.1.1 255.255.255.0
  management only
  !
  boot system Disk0: / asa804 - k8.bin
  Disk0: / asa804.bin starting system
  passive FTP mode
  DNS domain-lookup outside
  DNS domain-lookup Inside1
  management of the DNS domain-lookup service
  DNS server-group DefaultDNS
  Server name 10.239.192.10
  domain appdrugs.com
  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface
  the DM_INLINE_NETWORK_1 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.0
  object-network 10.239.192.128 255.255.255.128
  object-group service DM_INLINE_SERVICE_1
  the purpose of the ip service
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  the DM_INLINE_NETWORK_2 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_3 object-group network
  network-object 10.195.64.0 255.255.255.192
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_5 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  the DM_INLINE_NETWORK_6 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  object-group network Vital-network-hardware-access
  host of the object-Network UnityVM
  host of the CiscoCallManager object-Network
  host of the object-Network AccessSwitch1MDFA
  host of the object-Network AccessSwitch1IDFB
  host of the object-Network AccessSwitch2IDFB
  host of the object-Network AccessSwitch1IDFC
  host of the object-Network CoreSwitch1
  host of the object-Network CoreSwitch2
  object-group service RDP - tcp
  EQ port 3389 object
  the DM_INLINE_NETWORK_7 object-group network
  Maridian-primary-Net network object 255.255.255.128
  Meridian-backup-Net network object 255.255.255.128
  host of network-object Meridian-primary-VPN
  host of the object-Network Meridian_Backup_VPN
  the DM_INLINE_NETWORK_9 object-group network
  host of the object-Network Outside_Interface
  Group-object Vital-equipment-access to the network
  object-group service DM_INLINE_SERVICE_2
  will the service object
  ESP service object
  the purpose of the service ah
  the eq isakmp udp service object
  object-group service DM_INLINE_SERVICE_3
  ICMP service object
  the purpose of the echo icmp message service
  response to echo icmp service object
  the DM_INLINE_NETWORK_4 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  the DM_INLINE_NETWORK_8 object-group network
  object-network 10.195.64.0 255.255.255.0
  object-network 10.239.192.0 255.255.255.128
  object-network 10.239.192.128 255.255.255.128
  Outside_access_in list extended access permit icmp any any echo response
  Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
  Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
  Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
  Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
  Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
  Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
  Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
  Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
  Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
  Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
  Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
  Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
  Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
  permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
  Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
  Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
  Vital_VPN of access allowed any ip an extended list
  Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
  access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
  Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
  Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
  pager lines 24
  Enable logging
  exploitation forest asdm warnings
  Outside 1500 MTU
  MTU 1500 Inside1
  management of MTU 1500
  mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 621.bin
  don't allow no asdm history
  ARP timeout 14400
  Global (1 interface external)
  NAT (Inside1) 0-list of access Inside1_nat0_outbound
  NAT (Inside1) 1 10.0.0.0 255.0.0.0
  Access-group Outside_access_in in interface outside
  Access-group Inside1_access_in in interface Inside1
  Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
  Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
  Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
  Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
  Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
  Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  dynamic-access-policy-registration DfltAccessPolicy
  Enable http server
  http 66.104.209.192 255.255.255.224 outside
  http 192.168.1.0 255.255.255.0 management
  http 10.239.172.0 255.255.252.0 Inside1
  SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
  location of Server SNMP Raleigh
  contact Server SNMP Kevin mcdonald
  Server SNMP community appfirestarter * #*.
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Server SNMP traps enable entity config change
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
  Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
  cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
  card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
  card crypto Outside_map 1 peer set VPN-primary-Meridian
  Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
  card crypto Outside_map 1 defined security-association life seconds 28800
  card crypto Outside_map 1 set security-association kilobytes of life 4608000
  card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
  card crypto Outside_map 2 set peer Meridian_Backup_VPN
  map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
  card crypto Outside_map 2 defined security-association life seconds 28800
  card crypto Outside_map 2 set security-association kilobytes of life 4608000
  card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
  Outside_map interface card crypto outside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 5
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  crypto ISAKMP policy 30
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH timeout 5
  Console timeout 0
  outside access management
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  allow outside
  tunnel-group-list activate
  internal strategy of State civil-access to the network group
  Group Policy attributes Vital access to the network
  value of server DNS 10.239.192.10
  value of VPN-filter Vital_VPN
  Protocol-tunnel-VPN IPSec webvpn
  Split-tunnel-policy tunnelspecified
  Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
  value of remote access address pools
  internal state civil-Site-to-Site-GroupPolicy group strategy
  Civil-site-a-site-grouppolicy-strategie status of group attributes
  value of VPN-filter Vital-Site-to-Site-access
  Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
  username APPRaleigh encrypted password m40Ls2r9N918trxp
  username APPRaleigh attributes
  VPN-group-policy Vital-network access
  type of remote access service
  username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
  tunnel-group 65.118.69.251 type ipsec-l2l
  tunnel-group 65.118.69.251 General-attributes
  Group Policy - by Defaut-vital-site-a-site-grouppolicy
  IPSec-attributes tunnel-group 65.118.69.251
  pre-shared-key *.
  tunnel-group 65.123.23.194 type ipsec-l2l
  tunnel-group 65.123.23.194 General-attributes
  Group Policy - by Defaut-vital-site-a-site-grouppolicy
  IPSec-attributes tunnel-group 65.123.23.194
  pre-shared-key *.
  remote access of type tunnel-group Vital access to the network
  tunnel-group Vital access to the network general-attributes
  Access to distance-address pool
  Group Policy - by default-state civilian access to the network
  tunnel-group Vital access to the network ipsec-attributes
  pre-shared-key *.
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns migrated_dns_map_1
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the migrated_dns_map_1 dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  !
  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:a080b1759b57190ba65d932785ad4967
  : end

  can you confirm if we have the exact reflection of crypto acl at the other end

  I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network

  can you please confirm that

  also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0

• Client VPN Cisco ASA 5505 Cisco 1841 router

  Hello. I'm doing a connection during a cisco vpn client and a vpn on one server asa 5505 behind a 1841 router (internet adsl2 + and NAT router).

  My topology is almost as follows

  customer - tunnel - 1841 - ASA - PC

  ASA is the endpoint vpn (outside interface) device. I forward udp port 500 and 4500 on my router to the ASA and the tunnel rises. I exempt nat'ting on the asa and the router to the IP in dhcp vpn pool. I can connect to my tunnel but I can't "see" anything in the internal network. I allowed all traffic from the outside inwards buy from the ip vpn pool and I still send packets through the tunnel and I get nothing. I take a look at the statistics on the vpn client and I 2597 bytes (ping traffic) and there are no bytes. Any idea?

  Where you you logged in when you took the "crypto ipsec to show his"? If this isn't the case then try again, also this option allows IPSEC over UDP 4500 and it is disabled, enable it.

  ISAKMP nat-traversal crypto

  Just enter the command as it is, then try to connect again after activation of this option and get the same result to see the.

• Error of customer Cisco VPN connection ASA 5505

  I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.

  CISCO VPN CLIENT LOG

  Cisco Systems VPN Client Version 5.0.06.0160

  Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 6.1.7600

  Config files directory: C:\Program Cisco Systems Client\

  1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "71.xx.xx.253".

  4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B

  Attempts to establish a connection with 71.xx.xx.253.

  5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001

  From IKE Phase 1 negotiation

  6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253

  7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer is a compatible peer Cisco-Unity

  10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports XAUTH

  11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports the DPD

  12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports NAT - T

  13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001

  Peer supports fragmentation IKE payloads

  14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001

  IOS Vendor ID successful construction

  15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253

  16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055

  Sent a keepalive on the IPSec Security Association

  17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083

  IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194

  18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is behind a NAT device

  19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E

  Customer address a request from firewall to hub

  22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

  23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1

  26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0

  27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250

  28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251

  29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

  30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA

  31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45

  33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

  34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

  35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019

  Data in mode Config received

  36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056

  Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

  37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253

  38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047

  This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now

  42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

  44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

  45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049

  IPsec security association negotiation made scrapped, MsgID = 89EE7032

  46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

  47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = 71.xx.xx.253

  48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058

  Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8

  49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

  50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

  51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012

  ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

  52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  ----------------------------------------------------------------------------------------

  ASA 5505 CONFIG

  : Saved

  :

  ASA Version 8.2 (1)

  !

  ciscoasa hostname

  domain masociete.com

  activate tdkuTUSh53d2MT6B encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 172.26.0.252 255.255.0.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 71.xx.xx.253 255.255.255.240

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  clock timezone IS - 5

  clock to summer time EDT recurring

  DNS server-group DefaultDNS

  domain masociete.com

  access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA

  Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0

  outside_access_in list extended access permit icmp any one

  outside_access_in list extended access udp allowed any any eq 4500

  outside_access_in list extended access udp allowed any any eq isakmp

  outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp

  outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389

  inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240

  inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask

  ICMP unreachable rate-limit 1 burst-size 1

  enable ASDM history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0

  static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

  static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

  Access-group outside_access_in in interface outside

  Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  Enable http server

  http 172.26.0.0 255.255.0.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd outside auto_config

  !

  no basic threat threat detection

  no statistical access list - a threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server WINS 172.26.0.250 172.26.0.251

  value of 172.26.0.250 DNS server 172.26.0.251

  Protocol-tunnel-VPN IPSec l2tp ipsec svc

  value by default-field TLCUSA

  internal LIMUVPNPOL1 group policy

  LIMUVPNPOL1 group policy attributes

  value of 172.26.0.250 DNS server 172.26.0.251

  VPN-idle-timeout 30

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list LIMU_Split_Tunnel_List

  the address value VPN_POOL pools

  internal TLCVPNGROUP group policy

  TLCVPNGROUP group policy attributes

  value of 172.26.0.250 DNS server 172.26.0.251

  Protocol-tunnel-VPN IPSec l2tp ipsec svc

  Re-xauth disable

  enable IPSec-udp

  value by default-field TLCUSA

  barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0

  username barry.julien attributes

  VPN-group-policy TLCVPNGROUP

  Protocol-tunnel-VPN IPSec l2tp ipsec

  bjulien bhKBinDUWhYqGbP4 encrypted password username

  username bjulien attributes

  VPN-group-policy TLCVPNGROUP

  attributes global-tunnel-group DefaultRAGroup

  address VPN_POOL pool

  Group Policy - by default-DefaultRAGroup

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  tunnel-group DefaultRAGroup ppp-attributes

  no authentication ms-chap-v1

  ms-chap-v2 authentication

  type tunnel-group TLCVPNGROUP remote access

  attributes global-tunnel-group TLCVPNGROUP

  address VPN_POOL pool

  Group Policy - by default-TLCVPNGROUP

  IPSec-attributes tunnel-group TLCVPNGROUP

  pre-shared-key *.

  ISAKMP ikev1-user authentication no

  tunnel-group TLCVPNGROUP ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

  : end

  enable ASDM history

  can you try to change the transformation of dynamic value ESP-3DES-SHA map.

  for example

  remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5

  and replace with

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

• Cannot connect to internet after connecting to VPN Cisco ASA 5505

  Hi all

  I am an engineer of network, but haven't had any Experinece in the firewall for the moment, I'm under pressure to take care of a ASA 5505 were all VPN and incoming and out of bounds have been set up, recently I've had a few changes and re made the change, but unfortunately, he took some configurations that are ment for VPN now I am facing a problem,

  VPN connection, but impossible to navigate on the internet is my problem, I tried inheriting tunneli Split, but I coudnt get through it seems, I did something in a bad way, I use here for most ASDM,.

  I paste the Configuration for the investigation, although he's trying to help me.

  ASA Version 8.0(4)16 ! hostname yantraind domain-name yantra.intra enable password vD1.re9JLbigXJxz encrypted passwd hVjSWvtgvNN21M./ encrypted names ! interface Vlan2 nameif outside security-level 0 ip address Outside_Interface 255.255.255.240 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 shutdown ! interface Ethernet0/7 switchport access vlan 2 shutdown ! boot system disk0:/asa804-16-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone GMT 0 dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 192.168.0.106 name-server 192.168.0.10 domain-name yantra.intra same-security-traffic permit intra-interface object-group service Email_In tcp port-object eq https port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_2 tcp port-object eq ftp port-object eq ftp-data port-object eq www object-group service RDP tcp port-object eq 3389 object-group service DM_INLINE_SERVICE_1 service-object icmp service-object icmp traceroute object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service voip udp port-object eq domain object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data access-list outside_access_in extended permit tcp any host  object-group Email_In access-list outside_access_in extended permit tcp any host FTP_Server_Ext object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit tcp any host ForSLT eq www access-list outside_access_in extended permit tcp any host Search object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit tcp any host IMIPublic eq www access-list outside_access_in extended permit tcp any host eq www access-list outside_access_in extended permit tcp any host SLT_New_Public eq www access-list outside_access_in extended permit object-group TCPUDP any host 202.133.48.68 eq www access-list rvpn_stunnel standard permit 192.168.0.0 255.255.255.0 access-list rvpn_stunnel standard permit 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list nat0 extended permit ip host IT_DIRECT 192.168.0.0 255.255.255.0 access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in extended deny object-group TCPUDP host 192.168.0.252 202.133.48.64 255.255.255.240 access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 COLO 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging console debugging logging buffered debugging logging trap debugging logging history emergencies logging asdm debugging logging host inside 192.168.0.187 logging permit-hostdown logging class ip buffered emergencies mtu inside 1500 mtu outside 1500 ip local pool rvpn-ip 192.168.100.1-192.168.100.25 mask 255.255.255.0 ip verify reverse-path interface inside ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any traceroute outside asdm image disk0:/asdm-61551.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) netmask 255.255.255.255 dns static (inside,outside) FTP_Server_Ext FTP_Server_Int netmask 255.255.255.255 dns static (inside,outside) ForSLT SLT_New netmask 255.255.255.255 static (inside,outside) Search LocalSearch netmask 255.255.255.255 static (inside,outside) IMIPublic IMI netmask 255.255.255.255 static (inside,outside) SLT_New_Public SLT_Local netmask 255.255.255.255 static (inside,outside) netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 202.133.48.65 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map rvpn_map 65535 set pfs crypto dynamic-map rvpn_map 65535 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer  crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic rvpn_map crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=yantraind proxy-ldc-issuer crl configure crypto ca server shutdown crypto ca certificate chain ASDM_TrustPoint0 certificate f8684749     30820252 308201bb a0030201 020204f8 68474930 0d06092a 864886f7 0d010104     0500303b 31123010 06035504 03130979 616e7472 61696e64 31253023 06092a86     4886f70d 01090216 1679616e 74726169 6e642e79 616e7472 612e696e 74726130     1e170d30 38313231 36303833 3831365a 170d3138 31323134 30383338 31365a30     3b311230 10060355 04031309 79616e74 7261696e 64312530 2306092a 864886f7     0d010902 16167961 6e747261 696e642e 79616e74 72612e69 6e747261 30819f30     0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00f6d1d0 d536624d     de9e4a2e 215a3986 98087e65 be9f6c0f b8f6dc3e 151c5603 21afdebe 85b2917b     297b1d1c b3abf5c6 628afbbe dda1ca27 01282aff 6514f62f 2965c87c 8aab0273     ab59dac6 aa9f549b 846d93fd 44c7f84f b29545bb d0db8bbb 060dfbbf 592a15e3     3db126be 541003c4 38754847 0b472e62 d092fec2 d556f9e3 09020301 0001a363     3061300f 0603551d 130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403     02018630 1f060355 1d230418 30168014 9f66b685 2ebf0d5a 97a684ba 9a9518ca     a8ed637e 301d0603 551d0e04 1604149f 66b6852e bf0d5a97 a684ba9a 9518caa8     ed637e30 0d06092a 864886f7 0d010104 05000381 81003b49 2a7ee503 79b47792     6ce90453 70cf200e 943eccd7 deab53e0 2348d566 fe6aa8e0 302b922c 12df802d     398674f3 b1bc55f2 fe2646d5 c59689c2 c6693b0f 14081661 bafb233b 1b296708     fc2b6cbb ba1a005e 37073d72 4156b582 4521e673 ba6c7f7d 2d6941c4 9e076c39     73de21b9 712f69ed 7aab4bda 365d7eb3 39c05d27 e2dd   quit crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 15 ssh version 2 console timeout 0 dhcpd address 192.168.0.126-192.168.0.150 inside dhcpd dns 192.168.0.106 192.168.0.10 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec l2tp-ipsec svc split-dns value 192.168.0.106 group-policy rvpn internal group-policy rvpn attributes dns-server value 192.168.0.106 vpn-tunnel-protocol IPSec webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value rvpn_stunnel default-domain value yantra.intra username rreddy password 6p4HjBmf02hqbnrL encrypted privilege 15 username bsai password 41f5/8EINw6VQ5Os encrypted username bsai attributes service-type remote-access username Telnet password U.eMKTkIYZQA83Al encrypted privilege 15 username prashantt password BdrzfvDcOsnHBIdz encrypted username prashantt attributes service-type remote-access username m.shiva password p5YdC3kTJcnceaT/ encrypted username m.shiva attributes service-type remote-access username Senthil password qKYIiJ9NmC8NYvCA encrypted username Senthil attributes service-type remote-access username agupta password p3slrWEH1ye5/P2u encrypted username agupta attributes service-type remote-access username Yogesh password uQ3pfHI2wLvg8B8. encrypted username Yogesh attributes service-type remote-access username phanik password inZN0zXToeeR9bx. encrypted username phanik attributes service-type remote-access username murali password Ckpxwzhdj5RRu2tF encrypted privilege 15 username mgopi password stAEoJodb2CfgruZ encrypted privilege 15 username bill password Z1KSXIEPQkLN3OdQ encrypted username bill attributes service-type remote-access username Shantala password aCvfO5/PcsZc3Z5S encrypted username Shantala attributes service-type remote-access username maheshm password Fry56.leIsT9VHsv encrypted username maheshm attributes service-type remote-access username dhanj password zotUI9D6WWrMAh8T encrypted username dhanj attributes service-type remote-access username npatel password vOfMuOZg0vSkICyF encrypted username npatel attributes service-type remote-access username bmandakini password Y5UZuahgr6vd6ccE encrypted username bmandakini attributes service-type remote-access tunnel-group rvpn type remote-access tunnel-group rvpn general-attributes address-pool rvpn-ip tunnel-group rvpn ipsec-attributes pre-shared-key * tunnel-group  type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group  ipsec-attributes pre-shared-key * ! class-map global-class match default-inspection-traffic class-map inspection_default ! ! policy-map global_policy policy-map global-policy class global-class   inspect esmtp   inspect sip    inspect pptp   inspect ftp   inspect ipsec-pass-thru ! service-policy global-policy global prompt hostname context Cryptochecksum:7042504fefd0d22ce4de7f6fa4da14fa : end 

  Thanking you in advance

  Hello

  If you want to have Split-tunnelin in use. One you have patterns for.

  Then you will need to fix the configured "private group policy" under the "tunnel - private-group

  tunnel-group private general-attributes

  strategy - by default-private group

  Then reconnect the VPN Client connection and try again.

  After that the VPN Client connection only transmits traffic directed to the LAN on the VPN Client connection and all Internet traffic beyond the VPN connection directly to the Internet through the current connection of the users.

  -Jouni

• Problem with remote access VPN on ASA 5505

  I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.

  The VPN client connects is as follows:

  ---------------------------------------------------------------------------------------------------------------------------------------

  Cisco Systems VPN Client Version 5.0.07.0440

  Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.

  Customer type: Windows, Windows NT

  Running: 6.2.9200

  2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002

  Start the login process

  3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004

  Establish a secure connection

  4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024

  Attempt to connect with the server "*." **. ***. *** »

  5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B

  Try to establish a connection with *. **. ***. ***.

  6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001

  From IKE Phase 1 negotiation

  7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***

  8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012

  Attributes of the authentication request is 6: 00.

  9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer is a compatible peer Cisco-Unity

  12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports XAUTH

  13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports the DPD

  14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports NAT - T

  15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001

  Peer supports fragmentation IKE payloads

  16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001

  IOS Vendor ID successful construction

  17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***

  18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055

  Sent a keepalive on the IPSec Security Association

  19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083

  IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194

  20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is behind a NAT device

  21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015

  Launch application xAuth

  25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008

  IPSec driver started successfully

  26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017

  xAuth application returned

  28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E

  Customer address a request from firewall to hub

  34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***

  35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70

  38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

  39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1

  40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8

  41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001

  42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO

  43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00

  45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001

  46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D

  MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

  47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019

  Data in mode Config received

  48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056

  Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0

  49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***

  50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047

  This SA was already alive for 6 seconds, setting expiration 86394 seconds now

  54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

  56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013

  SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***

  57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049

  IPsec security association negotiation made scrapped, MsgID = CE99A8A8

  58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017

  Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

  59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F

  Received packet of ISAKMP: peer = *. **. ***. ***

  60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058

  Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924

  61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014

  RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

  62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B

  IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED

  64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012

  ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

  65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025

  Initializing CVPNDrv

  66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046

  Set indicator established tunnel to register to 0.

  67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001

  Signal received IKE to complete the VPN connection

  68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014

  Remove all keys

  71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A

  IPSec driver successfully stopped

  ---------------------------------------------------------------------------------------------------------------------------------------

  The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname NCHCO

  Select hTjwXz/V8EuTw9p9 of encrypted password

  hTjwXz/V8EuTw9p9 of encrypted passwd

  names of

  description of NCHCO name 192.168.2.0 City offices

  name 192.168.2.80 VPN_End

  name 192.168.2.70 VPN_Start

  !

  interface Ethernet0/0

  switchport access vlan 2

  Speed 100

  full duplex

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.2.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address **. ***. 255.255.255.248

  !

  boot system Disk0: / asa825 - k8.bin

  passive FTP mode

  access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0

  access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0

  inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224

  access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0

  access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0

  Standard access list LAN_Access allow NCHCO 255.255.255.0

  LAN_Access list standard access allowed 0.0.0.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 645.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  NAT (outside) 0-list of access outside_nat0_outbound

  Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  network-acl outside_nat0_outbound

  WebVPN

  SVC request to enable default svc

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  http *. **. ***. 255.255.255.255 outside

  http 74.218.158.238 255.255.255.255 outside

  http NCHCO 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform

  Crypto ipsec transform-set l2tp-transformation mode transit

  Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  crypto dynamic-map dyn-map 10 set pfs Group1

  crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation

  dynamic-map encryption dyn-map 10 value reverse-road

  Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  peer set card crypto outside_map 1 74.219.208.50

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  inside crypto map inside_map interface

  card crypto vpn-map 1 match address outside_1_cryptomap_1

  card crypto vpn-card 1 set pfs Group1

  set vpn-card crypto map peer 1 74.219.208.50

  card crypto vpn-card 1 set of transformation-ESP-3DES-SHA

  dynamic vpn-map 10 dyn-map ipsec isakmp crypto map

  crypto isakmp identity address

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  crypto ISAKMP policy 15

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 35

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP ipsec-over-tcp port 10000

  enable client-implementation to date

  Telnet 192.168.1.0 255.255.255.0 inside

  Telnet NCHCO 255.255.255.0 inside

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.0 inside

  SSH NCHCO 255.255.255.0 inside

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.2.150 - 192.168.2.225 inside

  dhcpd dns 216.68.4.10 216.68.5.10 interface inside

  lease interface 64000 dhcpd inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  internal DefaultRAGroup group strategy

  attributes of Group Policy DefaultRAGroup

  value of server DNS 192.168.2.1

  Protocol-tunnel-VPN IPSec l2tp ipsec

  nchco.local value by default-field

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 192.168.2.1

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  allow password-storage

  enable IPSec-udp

  enable dhcp Intercept 255.255.255.0

  the address value VPN_Pool pools

  internal NCHVPN group policy

  NCHVPN group policy attributes

  value of 192.168.2.1 DNS Server 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec

  value by default-field NCHCO

  admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username

  username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg

  username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password

  attributes global-tunnel-group DefaultRAGroup

  address (inside) VPN_Pool pool

  address pool VPN_Pool

  authentication-server-group (inside) LOCAL

  authentication-server-group (outside LOCAL)

  LOCAL authority-server-group

  authorization-server-group (inside) LOCAL

  authorization-server-group (outside LOCAL)

  Group Policy - by default-DefaultRAGroup

  band-Kingdom

  band-band

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared key *.

  NOCHECK Peer-id-validate

  tunnel-group DefaultRAGroup ppp-attributes

  No chap authentication

  no authentication ms-chap-v1

  ms-chap-v2 authentication

  tunnel-group DefaultWEBVPNGroup ppp-attributes

  PAP Authentication

  ms-chap-v2 authentication

  tunnel-group 74.219.208.50 type ipsec-l2l

  IPSec-attributes tunnel-group 74.219.208.50

  pre-shared key *.

  type tunnel-group NCHVPN remote access

  attributes global-tunnel-group NCHVPN

  address pool VPN_Pool

  Group Policy - by default-NCHVPN

  IPSec-attributes tunnel-group NCHVPN

  pre-shared key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:15852745977ff159ba808c4a4feb61fa

  : end

  ASDM image disk0: / asdm - 645.bin

  ASDM VPN_Start 255.255.255.255 inside location

  ASDM VPN_End 255.255.255.255 inside location

  don't allow no asdm history

  Anyone have any idea why this is happening?

  Thank you!

  Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.

  With respect,

  Safwan

• Impossible to establish a VPN to ASA 5505

  I'm trying to set up a network VPN from Site to Site. Right now I'm doing this work in the laboratory. I have the Internet port on the Linksys connected directly to port 0 on the cisco that has been set up as the internet port.

  My configuration is:

  Remote site

  Laptop 1 - IP 192.168.2.100 address 255.255.255.0 GW 192.168.2.1

  The Router 1 (Linksys BEFSX41) - LAN IP 192.168.2.1 255.255.255.0

  209.168.145.49 WAN IP address 255.255.255.0 GW 209.168.145.50

  Host site

  Laptop 2 - address 192.168.1.100 IP 255.255.255.0 GW 192.168.1.1

  Router 2 (Cisco ASA 5505) - LAN IP 0 address 192.168.1.1 255.255.255.0

  IP WAN (Port 0) 209.168.145.50 255.255.255.0

  My problems:

  I use ASDM 5.2 to configure the router of the SAA. With the configuration I currently have my linksys is not able to establish a VPN connection. The journal of ASA reported via the ASDM is as shown in the attachment ciscolog.txt.

  My linksys journal is as listed in the attachment linksyslog.txt.

  I also tried to create a Cisco VPN client connection using the cisco client software and a laptop connected directly to the internet port of the router cisco (port 0) and was not able to establish a connection with that either. I used the wizard of ASDM VPN to try to implement the Site-site as well as the scenarios of connection remotely. This has been unsuccessful in both cases.

  The only one, I am really interested in getting to work is the site to site.

  My current configuration of cisco is shown in the attachment cisco.txt.

  If anyone has any input I would appreciate it a lot. I have been through the manuals of cisco as to scouring the internet and am unable to find an answer.

  I enclose 3 files, cisco log (ciscolog.txt), linksys (linksyslog.txt) log and config cisco (cisco.txt) in the form of text files.

  Thank you.

  Sean

  I hope that path statement solves your problem.

  -Gilbert

  Good job, Adam!

• Block the specific IP traffic in ASA 5505

  Hi, we have an ASA 5505 in transparent mode and run a web service online. However, we notice a number of attempts to intrution from China and Korea and we need to block these IP traffic can anyone help please?

  config script is

  transparent firewall

  hostname xxyyASA

  Select msi14F/SlH4ZLjHH of encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Ethernet0/0

  Description - the Internet-

  switchport access vlan 2

  !

  interface Ethernet0/1

  Description - connected to the LAN-

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  interface Vlan1

  nameif inside

  Bridge-Group 1

  security-level 100

  !

  interface Vlan2

  nameif outside

  Bridge-Group 1

  security-level 0

  !

  interface BVI1

  Description - for management only-

  IP address xxx.yyy.zzz.uuu 255.255.xxx.yyy

  !

  passive FTP mode

  network of the WWW-SERVER-OBJ object

  Home xxx.yyy.zzz.jjj

  Description - webserver-

  WWW-SERVER-SERVICES-TCP-OBJ tcp service object-group

  Description - Services published on the WEB server-

  WWW-SERVER-SERVICES-UDP-OBJ udp service object-group

  Description - Services published on the WEB server - UDP

  Beach of port-object 221 225

  1719-1740 object-port Beach

  OUTSIDE-IN-ACL scope tcp access list deny any any eq 3306

  OUTSIDE-IN-ACL scope tcp access list deny any any eq telnet

  OUTSIDE-IN-ACL scopes allowed icmp an entire access list

  OUTSIDE-IN-ACL scopes permitted tcp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

  access list OUTSIDE-IN-ACL scopes permit tcp host xxx.yyy.zzz.uuu object WWW-SERVER-OBJ eq 3306

  OUTSIDE-IN-ACL scopes permitted udp access list any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

  We need to block access of host say 64.15.152.208

  Just need the best step to follow and block access, without affecting the service or other host

  Thank you

  Insert a line like:

  OUTSIDE-IN-ACL scope access list deny host ip 64.15.152.208 all

  in front of your 3rd line "... to enable icmp a whole."

  If you have many of them, maybe do:

  object-group network blacklist

  host of the object-Network 64.15.152.208

  network-host another.bad.ip.here object

  object-network entire.dubious.subnet.here 255.255.255.0

  ...

  OUTSIDE-IN-ACL scope object-group BLACKLIST ip deny access list all

  If you want to take in scores of reputation on the outside, or the blacklist changes a lot, you might look into the Cisco ASA IPS module.

  Note that fleeing bad hosts help with targeted attacks, but not with denial of service; only, he moves to point decline since the application for the firewall server, without much effect on the net on your uplink bandwidth consumption.

  -Jim Leinweber, WI State Lab of hygiene

• The import of the PIX 501 config to ASA 5505

  Is there something special that must occur to import a PIX 501 (IOS Version 6.3) config to an ASA 5505 appliance or is it as simple as download the config?

  Greg

  No, this isn't unfortunately because your pix is running 6.4 and the ASA 5505 will run a minimum of code 7.x and there were quite a few changes. Note that many existing commands would work, but some will not. Attached is a link to a doc for improving pix ASA who speaks both a manual method and an assisted version of tool -.

  http://www.Cisco.com/en/us/docs/security/ASA/migration/guide/pix2asa.html

  Jon