Key to mounting USB on an ASA 5505?
Hello
I have an ASA 5505 and the built-in flash is small enough and I put 3 .pkg on it for 4 Anyconnect.
I formatted a memory stick (4 GB) to FAT32 and put in the USB Port 2 port on the back and restarted the firewall.
But in file manager, I see disk0 and disk1, disk1 does not work, does not list anything but I can't create folders on this subject.
Can I mount the USB key manually or something?
Kind regards.
The USB port on the 5505 is not a supported file storage location.
In the most recent series 5500-X (including the X 5506), you can do this.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
ASA 5505 VPN established, cannot access inside the network
Hi, I recently got an ASA 5505, and I spent weeks to find a way to set up a VPN on it.
After a few days, I finally found the solution to connect to my ASA with a VPN client yet and cannot access devices that are connected to the ASA.
Here is my config:
ASA Version 8.2 (5)
!
hostname asa01
domain kevinasa01.net
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
interface Vlan5
No nameif
security-level 50
IP 172.16.1.1 255.255.255.0
!
passive FTP mode
DNS server-group DefaultDNS
domain kevinasa01.net
permit same-security-traffic intra-interface
Remote_Kevin_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.254.0 255.255.255.240
inside_nat0_outbound list of allowed ip extended access all 192.168.254.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
sheep - in extended Access-list allow IP 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access extensive list ip 192.168.254.0 outside_access_in allow 255.255.255.0 any
access extensive list ip 192.168.254.0 inside_access_in allow 255.255.255.0 any
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
pool pool 192.168.254.1 - 192.168.254.10 255.255.255.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (outside) 1 192.168.254.0 255.255.255.0
NAT (inside) 0 access-list sheep - in
NAT (inside) 1 192.168.1.0 255.255.255.0
NAT (inside) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal Remote_Kevin group strategy
attributes of Group Policy Remote_Kevin
value of server DNS 192.168.1.12 192.168.1.13
VPN - connections 3
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Remote_Kevin_splitTunnelAcl
kevinasa01.NET value by default-field
username kevin mz6JxJib/sQqvsw9 password encrypted privilege 0
username kevin attributes
VPN-group-policy Remote_Kevin
type tunnel-group Remote_Kevin remote access
attributes global-tunnel-group Remote_Kevin
address-pool
Group Policy - by default-Remote_Kevin
IPSec-attributes tunnel-group Remote_Kevin
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2bb1da52d1993eb9b13c2f6dc97c16cd
: endThank you
Hello
I read your message quickly through my cell phone. I don't know why you have spent your config twice. Maybe a typo issue.
I see the acl sheep in the wrong way. I mean 192.168.254 are your pool VPN and 192.168.1.0 your local LAN.
The acl must be:
sheep - in extended access-list permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
For nat (inside), you have 2 lines:
NAT (inside) 1 192.168.1.0 255.255.255.0 ==> it is redundant as the 1 below does the same thing with more networks if there is inside side. You can delete it.
NAT (inside) 1 0.0.0.0 0.0.0.0Why are you doing this nat (outside)?
NAT (outside) 1 192.168.254.0 255.255.255.0
Here are the first questions that I have seen by reading through my mobile. Let's change this and let me know. I'll take a look later with a computer (tonight or tomorrow)
Thank you.
PS: Please do not forget to rate and score as good response if this solves your problem.
-
ASA 5505 possibly interfere/blocking calls Incound UC560
ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462
All,
We had this problem the phone when we lose connectivity for some reason any. Here is an example:
We have an ASA 5505 before our UC560. Power lost to ASA (power connector from main Board loose) primary did identical backup with config. The layout-design is the following:
UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">
After the passage of the ASAs, incoming calls have been piecemeal. I can see the traffic on the firewall when the calls log, nothing otherwise. OS on the device are:
UC560 - 15.0 XA (1r).
ASA 5505-4, 0000 38
Contacted the provider and after calls debugging support have been expire with the 408 SIP error.
Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.
So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA. Here is the config ASA (it's pretty long, sorry):
Output of the command: "show run".
: Saved
:
: Serial number:
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA 4,0000 Version 38
!
XXXXX-CA hostname
activate the encrypted password of WUGxGkjzJJSPhT9N
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
WUGxGkjzJJSPhT9N encrypted passwd
names of
DNS-guard
192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
!
interface Ethernet0/0
Description-> Internet
switchport access vlan 2
!
interface Ethernet0/1
Description-> inside
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
Shutdown
No nameif
no level of security
no ip address
!
interface Vlan2
Description-> Internet<>
nameif outside
security-level 0
address IP XXX.XXX. XXX.242 255.255.255.240
!
interface Vlan10
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
!
exec banner * W A R N I N G *.
banner exec unauthorised access prohibited. All access is
banner exec monitored and the intruder may be continued
exec banner to the extent of the law.
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
Banner motd this is a private computer system.
Banner motd, access is allowed only by authorized employees or agents of the
company banner motd.
Banner motd system can be used only for the authorized company.
Banner motd business management approval is required for all access privileges.
Banner motd, as this system is equipped with a safety system designed to prevent
Banner motd and attempts of unauthorized access record.
Banner motd
Banner motd unauthorized access or use is a crime under the law.
banner asdm XXXXX Enterprises Inc. $(hostname)
boot system Disk0: / asa904-38 - k8.bin
boot system Disk0: / asa904-29 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS domain-lookup outside
permit same-security-traffic intra-interface
object obj voip network
10.1.1.0 subnet 255.255.255.0
network object obj - 192.168.254.0
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
object obj cue-network
10.1.10.0 subnet 255.255.255.0
object obj priv-network
192.168.10.0 subnet 255.255.255.0
object obj data network
subnet 10.0.1.0 255.255.255.0
network object obj - 192.168.0.0
192.168.0.0 subnet 255.255.255.0
Description not used
network object obj - 192.168.1.0
subnet 192.168.1.0 255.255.255.0
Description not used
object obj nj-asa-private-network
Subnet 192.168.2.0 255.255.255.0
network obj object -? asa-private-network
192.168.5.0 subnet 255.255.255.0
network obj object -? asa-private-network
192.168.6.0 subnet 255.255.255.0
network obj object -? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network obj object -? asa-priv-networl
subnet 192.168.4.0 255.255.255.0
network obj object -? asa-private-network
192.168.7.0 subnet 255.255.255.0
object obj-asa-Interior-voip-nic network
host 10.1.1.1
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
network object obj - 0.0.0.0
host 0.0.0.0
object obj-vpn-nic network
Home 192.168.10.20
object obj XXXX-asa-private-network
192.168.8.0 subnet 255.255.255.0
House of XXXX description
network obj object -? asa-private-network
192.168.9.0 subnet 255.255.255.0
object asa inside-network data
subnet 10.0.1.0 255.255.255.0
asa data-outside-network object
subnet XXX.XXX. XXX.240 255.255.255.240
network of china-education-and-research-network-center object
Home 202.194.158.191
Acl explicitly blocked description
China unicom shandong network item
60.214.232.0 subnet 255.255.255.0
Acl explicitly blocked description
pbx-cue-Interior-nic network object
Home 10.1.10.2
pbx-cue-outside-nic network object
host 10.1.10.1
telepacific-voip-trunk network object
Home 64.60.66.250
Description is no longer used
us-la-mianbaodianying network object
Home 68.64.168.46
Acl explicitly blocked description
object network cue
10.1.10.0 subnet 255.255.255.0
private-network data object
192.168.10.0 subnet 255.255.255.0
pbx-outside-data-nic network object
host 10.0.1.2
pbx-voip-Interior-nic network object
host 10.1.1.1
voip network object
10.1.1.0 subnet 255.255.255.0
vpn-server-nic network object
Home 192.168.10.20
asa-data-outside-nic network object
host XXX.XXX. XXX.242
asa-voip-ctl-outside-nic network object
host XXX.XXX. XXX.244
the object 192.168.0.0 network
192.168.0.0 subnet 255.255.255.0
Description not used
the object 192.168.1.0 network
subnet 192.168.1.0 255.255.255.0
Description not used
nj-asa-priv-netowrk network object
Subnet 192.168.2.0 255.255.255.0
network of the 192.168.254.0 object
192.168.254.0 subnet 255.255.255.0
pool of local addresses of description
network of the object? -asa - private-network
subnet 192.168.3.0 255.255.255.0
network of the object? asa-private-network
subnet 192.168.4.0 255.255.255.0
network of the object? asa-private-network
192.168.5.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.6.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.7.0 subnet 255.255.255.0
network of the object? asa-private-network
192.168.9.0 subnet 255.255.255.0
the XXXX-asa-private-network object network
192.168.8.0 subnet 255.255.255.0
network object XXX.XXX. XXX.242
host XXX.XXX. XXX.242
service object 47
tcp source eq eq 47 47 destination service
object network dvr
Home 192.168.10.16
network dvr-nat-tcp8888 object
Home 192.168.10.16
network dvr-nat-tcp6036 object
Home 192.168.10.16
network dvr-nat-udp6036 object
Home 192.168.10.16
dvr-8888 service object
destination eq 8888 tcp service
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service dvr-6036-tcp - udp
port-object eq 6036
détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
access-list out_in note remote access attempted
out_in list extended access deny ip object China unicom shandong network any4
access-list out_in note remote access attempted
out_in list extended access deny ip object we-the-mianbaodianying any4
out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
out_in list extended access allow icmp any4 object vpn-server-nic
out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
out_in list extended access allow accord any4 object vpn-server-nic
out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
Comment from out_in-HTTPS access outside the access list
out_in list extended access permitted tcp any4 object data-private-network eq https
outside_access_in list extended access allow icmp host 192.168.10.20 any4
access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
outside_access_in list extended access allowed host any4 object 47 192.168.10.20
outside_access_in list extended access allow accord any4 host 192.168.10.20
outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
outside_access_in list extended access allowed object dvr-8888 any object dvr
outside_access_in list extended access allow icmp any4 host 10.1.1.1
access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
go to list of access outside_access_in note incoming https.
outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
pager lines 24
Enable logging
exploitation forest-size of the buffer 1048576
monitor debug logging
debug logging in buffered memory
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
exploitation forest flash-bufferwrap
No registration message 106015
No message logging 313001
No registration message 313008
no logging message 106023
No message logging 710003
no logging message 106100
No message logging 302015
No message recording 302014
No message logging 302013
No message logging 302018
No message logging 302017
No message logging 302016
No message logging 302021
No message logging 302020
destination of exports flow inside 192.168.10.20 4432
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 3 burst-size 1
ICMP allow any response of echo outdoors
ICMP allow any echo outdoors
ICMP allow any inaccessible outside
ICMP permitted host 75.140.0.86 outside
ICMP allow any inside
ASDM image disk0: / asdm-715 - 100.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
!
object obj-asa-Interior-voip-nic network
NAT XXX.XXX static (inside, outside). XXX.244
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT (inside, outside) dynamic obj - 0.0.0.0
object obj-vpn-nic network
NAT XXX.XXX static (inside, outside). XXX.254
network dvr-nat-tcp8888 object
NAT (inside, outside) interface static 8888 8888 tcp service
network dvr-nat-tcp6036 object
NAT (inside, outside) interface static 6036 6036 tcp service
network dvr-nat-udp6036 object
NAT (inside, outside) interface static service udp 6036 6036
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable LOCAL console
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 192.168.254.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outdoors
authentication & encryption v3 private Server SNMP group
SNMP server group No_Authentication_No_Encryption v3 /noauth
SNMP-server host inside the 192.168.10.20 community *.
Server SNMP Ontario, CA location
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
Crypto ca trustpoint CAP-RTP-001_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint CAP-RTP-002_trustpoint
Terminal registration
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_0 key pair
Configure CRL
Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
registration auto
full domain name no
name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
_internal_ctl_phoneproxy_file_SAST_1 key pair
Configure CRL
Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
registration auto
full domain name no
name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
_internal_PP_ctl_phoneproxy_file key pair
Configure CRL
Crypto ca trustpoint Cisco-Mfg-CA
Terminal registration
Configure CRL
Crypto ca trustpoint phoneproxy_trustpoint
registration auto
full domain name XXXXXXXXXX.com
name of the object CN = XXXXXX - ASA
phoneproxy_trustpoint key pair
Configure CRL
trustpool crypto ca policy
string encryption CAP-RTP-001_trustpoint ca certificates
certificate ca 7612f960153d6f9f4e42202032b72356
quit smoking
string encryption CAP-RTP-002_trustpoint ca certificates
certificate ca 353fb24bd70f14a346c1f3a9ac725675
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
certificate e1aee24c
CA
quit smoking
Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
certificate e4aee24c
quit smoking
Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
certificate e8aee24c
quit smoking
a string of ca crypto Cisco-Mfg-CA certificates
certificate ca 6a6967b3000000000003
quit smoking
Crypto ca certificate chain phoneproxy_trustpoint
certificate 83cbe64c
quit smoking
Crypto ikev1 allow outside
IKEv1 crypto policy 5
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 10.0.1.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
Console timeout 0
management-access insidepriority-queue outdoors
TX-ring-limit of 256
!
maximum-session TLS-proxy 24
!
!
TLS-proxy tls_proxy
_internal_PP_ctl_phoneproxy_file point server trust
CTL-file ctl_phoneproxy_file
file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
!
Media-termination asdm_media_termination
address XXX.XXX. XXX.245 outside interface
address interface inside 10.0.1.245!
Phone-proxy asdm_phone_proxy
Media-termination asdm_media_termination
interface address 10.1.1.1 TFTP server on the inside
TLS-proxy tls_proxy
no settings disable service
XXX.XXX proxy server address. Outside the xxx.242 80 interface
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 192.168.10.60 source inside
internal group myGROUP strategy
Group myGROUP policy attributes
VPN-idle-timeout no
VPN-session-timeout no
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
XXXXX group policy / internal remote
attributes of group XXXXX policy / remote
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
username fstorm attributes
type of remote access service
username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
attributes username cisco
type of remote access service
username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu8 attributes
type of remote access service
username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
username XXXXXU1 attributes
Strategy Group-VPN-XXXXX / remote
type of remote access service
username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu3 attributes
type of remote access service
username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu2 attributes
type of remote access service
username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu5 attributes
type of remote access service
username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu4 attributes
type of remote access service
username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu7 attributes
type of remote access service
username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
username XXXXXu6 attributes
type of remote access service
tunnel-group XXXXX type remote access / remote
attributes global-tunnel-group XXXXX / remote
XXXXX address pool / remote
Group Policy - by default-XXXXX / remote
IPSec-attributes tunnel-group XXXXX / remote
IKEv1 pre-shared-key *.
type tunnel-group mytunnel remote access
tunnel-group mytunnel General-attributes
strategy - by default-group myGROUP
mytunnel group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
!
class-card CM-VOICE-SIGNAL
match dscp af31
class-map-outside-phoneproxy
match eq 2443 tcp port
class-map inspection_default
match default-inspection-traffic
Class-map data
match flow ip destination-address
match tunnel-group mytunnel
class-card CM-VOICE
match dscp ef
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 1024
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the pptp
inspect the icmp
class class by default
Statistical accounting of user
flow-export-type of event all 192.168.10.20 destination
outside-policy policy-map
class outside-phoneproxy
inspect the thin phone-proxy asdm_phone_proxy
CM-VOICE class
priority
CM-VOICE-SIGNAL class
priority
World-Policy policy-map
!
global service-policy global_policy
207.46.163.138 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
HPM topN enable
Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
: endIf someone could give a clue as to what could be the problem, I would appreciate it.
/ / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //
Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!
Now, given that your issue is resolved, you must mark the thread as "answered" :)
Thank you for evaluating useful messages!
-
ASA 5505 as internet gateway (must reverse NAT)
Hi all the Cisco guru
I have this diet:
Office-> Cisco 877-> Internet-> ASA 5505-> remote network
Office network: 192.168.10.0/24
Cisco 877 IP internal: 192.168.10.200
Cisco 877 external IP: a.a.a.a
ASA 5505 external IP: b.b.b.b
ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3
Remote network: 192.168.17.0/24 and 192.168.1.0/24
VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.
But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:
305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT
Ping of OLD-private interface to google result:
110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0
Result of traceroute
How can I fix reverse NAT and make ASA as internet gateway?
There is my full config
!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!Thank you for your time and help
Why you use this NAT type?
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outboundYou are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.
If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:
NAT (OLD-private) 1 0.0.0.0 0.0.0.0
Global (WAN) 1 interface
-
ASA 5505 Security Plus license question
Hi all!
I have an ASA 5505 that I test with first entered with the Security Plus license. Recently, I erased flash and loaded the latest version of asa841 - k8.bin of IOS with asdm - 642.bin. Everything starts very well and came as he does so freshly however I noticed that I was now running only a basic license. If I run the sh key activation order, I noticed the following messages (exit complete is downstairs):
The activation key running is not valid, using the default
......
This platform includes a basic license.
......
Unable to retrieve the activation key permanent flash
I somehow kill my Security Plus licenses when I did the flash erase? If yes how do I to get it back?
Thank you!!!
-ken
ciscoasa # sh - activation key
Serial number: JMXXXXXXHU
Activation key permanent running: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The activation key running is not valid, using the default settings:
The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 3 restricted DMZ
Double ISP: Disabled perpetual
Junction VIRTUAL LAN ports: perpetual 0
The hosts on the inside: 10 perpetual
Failover: Disabled perpetual
VPN - A: enabled perpetual
VPN-3DES-AES: disabled perpetual
AnyConnect Premium peers: 2 perpetual
AnyConnect Essentials: Disabled perpetual
Counterparts in other VPNS: 10 perpetual
Total VPN counterparts: 25 perpetual
Shared license: disabled perpetual
AnyConnect for Mobile: disabled perpetual
AnyConnect Cisco VPN phone: disabled perpetual
Assessment of Advanced endpoint: disabled perpetual
Proxy UC phone sessions: 2 perpetual
Proxy total UC sessions: 2 perpetual
Botnet traffic filter: disabled perpetual
Intercompany Media Engine: Disabled perpetual
This platform includes a basic license.
Unable to retrieve the activation key permanent flash.
The permanent activation key flash is the SAME as the key permanent running.
Hi Ken,
If you know what the license and activation for your security key, you can simply re - install it with the command "activation key" from the global configuration mode.
If you have lost the key, you'll want to open a support case to get it retrieved.
Hope that helps.
-Mike
-
EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure
Hi friends,
I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?
Please find below the exit of 881 router Cisco:
YF2_Tbilisi_router #.
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
* 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.* 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA* 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
* 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.* 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
* 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
* 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
* 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
* 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
* 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
* 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:31:47.805 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
* 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1* 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
* 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
* 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA* 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
* 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.* 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
* 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
* 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
* 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
* 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
* 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
* 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:32:48.913 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
* 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1* 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
* 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.
The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?
-
ASA 5505 ASDM VPN connection problem
Hello
We are running a version of firewall ASA 5505 8.4 (4) 1. The ASDM version is 6.4 (9).
The problem is when the creation of remote access VPN connection, it works fine for about 2-3 days.
After that, the VPN client cannot connect more and gives the error code 789.
In this case, the VPN clients are clients of Windows 7 from different remote networks with the same problem scenario.
Windows 8.1 clients cannot connect at all and show the same error code...
All connections go through the keys defaultragroup and preshare match on both sides.
When the user to connect attemps I receive the following text in the log of the ASDM:
6 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, P1 retransmit msg sent to the WSF MM5 April 10, 2015 10:52:39 group = DefaultL2LGroup, IP = 5.240.31.116, in double Phase 1 detected package. Retransmit the last packet.5 April 10, 2015 10:53:03 IP = 5.240.31.116, encrypted packet received with any HIS correspondent, dropWhen I implemented the remote login through ASDM I followed the instructions according to the following link:The steps were a little different, but almost the same, given that these instructions show an old versionI'm interested in trying the steps according to this link but not sure this will help me solve the problem id:Any help would be appreciated!Thank youHello
If you use local authentication (user name and password on the SAA), so why you would need this threshold?
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!Remove it and try.
-
VPN Tunnel access to several subnets ASA 5505
Greetings,
We spent a little time trying to configure our ASA 5505 in order to TUNNEL into several different subnets. Subnets include 192.168.1.0 / 192.168.2.0 / 192.168.10.0
Someone is about to review this setup running and indicate where we have gone wrong. When I connect via the VPN Client, I can access the 192.168.1.0 network, no problem. But fail to reach the other two. Thank you very much.
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (5)
!
hostname BakerLofts
activate kn7RHw13Elw2W2eU encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 74.204.54.4 255.255.255.248
!
interface Vlan12
nameif Inside2
security-level 100
IP address 192.168.10.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
outside_access_in of access allowed any ip an extended list
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.3.0 255.255.255.0
Inside2_access_in of access allowed any ip an extended list
permit Inside2_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 Inside2
IP local pool vpn 192.168.3.1 - 192.168.3.254 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0 192.168.3.0 255.255.255.0 outside
NAT (Inside2) 0-list of access Inside2_nat0_outbound
NAT (Inside2) 1 0.0.0.0 0.0.0.0
Access-group outside_access_in in interface outside
Access-group Inside2_access_in in the interface Inside2
Route outside 0.0.0.0 0.0.0.0 74.204.54.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal vpn group policy
attributes of vpn group policy
value of server DNS 8.8.8.8
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_splitTunnelAcl
username, password samn aXJbUl92B77AGcc. encrypted privilege 0
samn attributes username
Strategy-Group-VPN vpn
username password encrypted QUe2MihLFbj2.Iw0 privilege 0 jmulwa
username jmulwa attributes
Strategy-Group-VPN vpn
jangus Uixpk4uuyEDOu9eu username encrypted password
username jangus attributes
Strategy-Group-VPN vpn
vpn tunnel-group type remote access
VPN tunnel-group general attributes
vpn address pool
Group Policy - by default-vpn
Tunnel vpn ipsec-attributes group
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote call
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
I see two problems:
1. your ASA has not an interior road to the Incas inside networks. You must add:
Route inside 192.168.2.0 255.255.255.0
Route inside 192.168.10.0 255.255.255.0
.. .specifying your gateway address of these networks.
2. the statement "access-list standard vpn_splitTunnelAcl permit 192.168.1.0 255.255.255.0" sends only a route for 192.168.1.0/24 to your customer. You need to add entries for the other two networks.
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
ASA 5505-> ASA 5520 Site - to drops frequent
Hello
I'm about to give up the blow this ASA 5505. Basically, what happens is to install the 5505 connects to the 5520, establishes the tunnel and all is well. In the 10 or 15 minutes, everything falls, and the VPN tunnel refuses to come back until I reload the 5505. It's BORING. This SAA is in a building that has been closed and is used for safety so that whenever this happens that I am standing in a strengthening of expletives gel.
The 5520, messages are the following:
3 Feb 15:28:24 asalicious.ips.k12.in.us Feb 03 15:28:42 IS: % ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
3 Feb 15:28:25 asalicious.ips.k12.in.us Feb 03 15:28:43 UTC: % ASA-vpn-6-713219: IP = 70.63.52.210, Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
pleated Phase 1 detected package. Retransmit the last packet.
3 Feb 15:28:31 asalicious.ips.k12.in.us Feb 03 15:28:49 IS: % ASA-vpn-6-713905: IP = 70.63.52.210, P1 retransmit msg sent to the WSF MM-Also:
5 IKE peers: 70.63.52.210
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3
6 IKE peers: 70.63.52.210
Type: user role: answering machine
Generate a new key: no State: MM_WAIT_MSG3If anyone has any ideas that would be great. The work of the "thing" for literally 20 minutes and everything is peachy - then DEATH!
The two code 8.2 current to identical execution.
Thank you
Tim
Hi Tim,.
Sorry for the pain, VPN drops are caused by several things, hence the request for the config because we need to isolate it, for example, incompatibility of configuration could be one of the reasons that the SAs could be negotiated with the tunnels that are not quite defined for this particular tunnel. As well the drop could occur due to the DPD lost on the path or because some IP renewal.
Regarding the config I need to see the relevant sides ACL Crypto, exempt NAT and the relevant definitions of Crypto rules (in this part, see if you can post all of those included)
Thank you
Ivan
-
Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)
Hello
I'll put up a tunnel vpn site-to-site between two locations. Both have cisco ASA 5505 running a different version, I'll explain in more detail below. so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic. Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand. I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.
An IP address of 0.0.0.0 = site
Site B IP = 1.1.1.1A Version of the site = 8.3.1
Version of the site B = 9.2.3__________________________
_________A RACE OF THE SITE CONFIGURATION
Output of the command: "sh run".
: Saved
:
ASA Version 8.3 (1)
!
hostname SDMCLNASA01
SDMCLNASA01 domain name. LOCAL
Select 5E8js/Fs7qxjxWdp of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 0.0.0.0 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
SDMCLNASA01 domain name. LOCAL
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network lan_internal object
192.168.0.0 subnet 255.255.255.0
purpose of the smtp network
Home 192.168.0.245
Network http object
Home 192.168.0.245
rdp network object
Home 192.168.0.245
network ssl object
Home 192.168.0.245
network camera_1 object
host 192.168.0.13
network camerahttp object
host 192.168.0.13
service object 8081
source eq 8081 destination eq 8081 tcp service
Dvr description
network camera-http object
host 192.168.0.13
network dvr-http object
host 192.168.0.13
network dvr-mediaport object
host 192.168.0.13
object-group Protocol DM_INLINE_PROTOCOL_1
object-protocol udp
object-tcp protocol
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
DM_INLINE_TCP_2 tcp service object-group
port-object eq 34567
port-object eq 34599
EQ port 8081 object
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
!
network lan_internal object
NAT dynamic interface (indoor, outdoor)
purpose of the smtp network
NAT (all, outside) interface static tcp smtp smtp service
Network http object
NAT (all, outside) interface static tcp www www service
rdp network object
NAT (all, outside) interface static service tcp 3389 3389
network ssl object
NAT (all, outside) interface static tcp https https service
network dvr-http object
NAT (all, outside) interface static 8081 8081 tcp service
network dvr-mediaport object
NAT (all, outside) interface static 34567 34567 tcp service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 8080
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
http 71.40.221.136 255.255.255.252 inside
http 71.40.221.136 255.255.255.252 outside
http 192.168.0.0 255.255.255.0 outside
http 97.79.197.42 255.255.255.255 inside
http 97.79.197.42 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd dns 192.168.0.245 209.18.47.62 interface inside
dhcpd SDMCLNASA01 field. LOCAL inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:462428c25e9748896e98863f2d8aeee7
: end________________________________
SITE B RUNNING CONFIG
Output of the command: "sh run".
: Saved
:
: Serial number: JMX1635Z1BV
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (3)
!
ciscoasa hostname
activate qddbwnZVxqYXToV9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network camera_http object
host 192.168.1.13
network camera_media object
host 192.168.1.13
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq 9000
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit icmp any one
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 732.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
!
network camera_http object
NAT (all, outside) interface static tcp www www service
network camera_media object
NAT (all, outside) interface static 9000 9000 tcp service
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 peer set 0.0.0.0
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.150 inside
dhcpd dns 192.168.0.245 209.18.47.61 interface inside
dhcpd SDPHARR field. LOCAL inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_0.0.0.0 group strategy
attributes of Group Policy GroupPolicy_0.0.0.0
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
: endSorry my mistake.
Delete this if it's still there
card crypto external_map 1 the value reverse-road
Add this to both sides
card crypto outside_map 1 the value reverse-road
Sorry about that.
Mike
-
ASA 5505 VPN cannot access inside the host
I have access remote VPN configuration on an ASA 5505, but cannot access the host or the AAS when I connect through the VPN. I can connect with the Cisco VPN client and the VPN is on on the SAA and it shows that I am connected. I have the correct Ip address, but I can't ping or you connect to one of the internal addresses. I can't find what I'm missing. I have the VPN without going through the ACL interface. Because I can connect but not going anywhere I'm sure I missed something.
framework for configuration below
interface Vlan1
nameif inside
security-level 100
10.1.1.1 IP address 255.255.255.0
IP local pool xxxx 10.1.1.50 - 10.1.1.55 mask 255.255.255.0
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 set pfs
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
PFS set 40 crypto dynamic-map outside_dyn_map
Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA
Crypto-map dynamic inside_dyn_map 20 set pfs
Crypto-map dynamic inside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
map inside_map 65535-isakmp ipsec crypto dynamic inside_dyn_map
inside crypto map inside_map interface
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
global service-policy global_policy
XXXXXXX strategy of Group internal
attributes of the strategy group xxxxxxx
banner value xxxxx Site Recovery
WINS server no
24.xxx.xxx.xx value of DNS server
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 30
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelall
by default no
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout no
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
disable the NAC
NAC-sq-period 300
NAC-reval-period 36000
NAC-by default-acl no
the address value xxxxxx pools
enable Smartcard-Removal-disconnect
the firewall client no
WebVPN
url-entry functions
Free VPN of CNA no
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general attributes
xxxx address pool
Group Policy - by default-xxxx
blountdr group of tunnel ipsec-attributes
pre-shared-key *.
Missing nat exemption for vpn clients. Add the following and you should be good to go.
inside_nat0_outbound list of allowed ip extended access any 192.168.10.0 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
-
Rookie of the ASA 5505 - cannot ping remote site or vice versa
Hi, I am trying configure an ipsec to an ASA 5505 (8.4) for a Sophos UTM (9.2)
Internet, etc. is in place and accessible. IPSec tunnel is also but I can't pass the traffic through it.
I get this message in the logs:
3 August 5, 2014 22:38:52 81.111.111.156 82.222.222.38 Refuse the Protocol entering 50 CBC outdoor: 81.111.111.156 outside dst: 82.222.222.38 SITE has (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156Pointers would be good because it's the first time I tried this. Thank you.
Running config below:
ciscoasa hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Description Internet Zen
nameif outside
security-level 0
Customer vpdn group PPPoE Zen
82.222.222.38 255.255.255.255 IP address pppoe setroute
!
boot system Disk0: / asa922 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
network obj_any object
subnet 0.0.0.0 0.0.0.0
the object of MY - LAN network
subnet 192.168.1.0 255.255.255.0
the object of THIER-LAN network
192.168.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.30.0_24 object
192.168.30.0 subnet 255.255.255.0
network of the THIER_VPN object
Home 81.111.111.156
THIER VPN description
service of the Sophos_Admin object
Service tcp destination eq 4444
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-protocol esp
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-protocol esp
object-group service DM_INLINE_SERVICE_1
ICMP service object
area of service-object udp destination eq
service-object, object Sophos_Admin
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
ESP service object
object-group service DM_INLINE_SERVICE_2
ICMP service object
service-object, object Sophos_Admin
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_3
the purpose of the ip service
ESP service object
response to echo icmp service object
object-group service DM_INLINE_SERVICE_4
service-object, object Sophos_Admin
the purpose of the echo icmp message service
response to echo icmp service object
outside_cryptomap list extended access allow object-group DM_INLINE_PROTOCOL_3 MY - LAN LAN THIER object object
outside_cryptomap_1 list extended access allow object-group DM_INLINE_PROTOCOL_2 MY - LAN LAN THIER object object
inside_cryptomap list extended access allow THIER-LAN MY - LAN object object DM_INLINE_PROTOCOL_1 object-group
outside_access_out list extended access allowed object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
outside_access_out list extended access allow DM_INLINE_SERVICE_1 of object-group a
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
inside_access_out list extended access allow object-group DM_INLINE_SERVICE_4 MY - LAN LAN THIER object object
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 722.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Access-group interface inside inside_access_out
Access-group outside_access_in in interface outside
Access-group outside_access_out outside interface
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 81.111.111.156
card crypto outside_map 1 set transform-set ESP-AES-128-SHA ikev1
outside_map map 1 set ikev2 proposal ipsec crypto AES
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 81.111.111.156
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2
FRP sha
second life 7800
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 7800
Telnet timeout 5
SSH enable ibou
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 30
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN group Zen request dialout pppoe
VPDN group Zen localname [email protected] / * /
VPDN group Zen ppp authentication chap
VPDN username [email protected] / * / password * local storedhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.36 inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
enable dynamic filters updater-customer
use of data Dynamics-based filters
smart filters enable external interface
interface of blacklist of decline in dynamic filters outside
WebVPN
AnyConnect essentials
internal GroupPolicy_81.111.111.156 group strategy
attributes of Group Policy GroupPolicy_81.111.111.156
Ikev1 VPN-tunnel-Protocol
JsE9Hv42G/zRUcG4 admin password user name encrypted privilege 15
username bob lTKS32e90Yo5l2L password / encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 General-attributes
Group - default policy - GroupPolicy_81.111.111.156
IPSec-attributes tunnel-group 81.111.111.156
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the dns dynamic-filter-snoop preset_dns_map
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
HPM topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa #.Hello
Watching your sh crypto ipsec output... I can see packets are getting wrapped... average packets out of the peer 88.222.222.38 network and I do not see the package back from the site of the UTM 81.111.111.156 at the ASA... This means that the UTM Firewall either don't know the package or not able to get the return package... Exchange of routing is there... but you need to check LAN to another counterpart of site...
Please check the card encryption (it must match on both ends), NAT (exemption should be there @ both ends) and referral to the ends of the LAN...
I suggest you try with the crypto wthout specific port card... say source LAN to LAN with any port destination...
allow cryptomap to access extended list ip
Concerning
Knockaert
Concerning
Knockaert
-
VPN site-to-site between ASA 5505 and 2911
Hi all
I'm trying to setup VPN S2S. A.a.a.a of ip for the router 2911 office, remote office ASA 5505 8.4 (3) with ip b.b.b.b, but no luck.
2911 config:
!
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 2911
!
boot-start-marker
Boot system flash c2900-universalk9-mz. Spa. 152 - 2.T.bin
boot-end-marker
!
!
Min-length 10 Security passwords
logging buffered 51200 warnings
!
No aaa new-model
!
!
min-threshold queue spd IPv6 62
Max-threshold queue spd IPv6 63
No ipv6 cef
the 5 IP auth-proxy max-login-attempts
max-login-attempts of the IP 5 admission
!
!
!
DHCP excluded-address IP 192.168.10.1 192.168.10.99
DHCP excluded-address IP 192.168.22.1 192.168.22.99
DHCP excluded-address IP 192.168.33.1 192.168.33.99
DHCP excluded-address IP 192.168.44.1 192.168.44.99
DHCP excluded-address IP 192.168.55.1 192.168.55.99
192.168.10.240 IP dhcp excluded-address 192.168.10.254
DHCP excluded-address IP 192.168.22.240 192.168.22.254
DHCP excluded-address IP 192.168.33.240 192.168.33.254
DHCP excluded-address IP 192.168.44.240 192.168.44.254
DHCP excluded-address IP 192.168.55.240 192.168.55.254
!
desktop IP dhcp pool
import all
network 192.168.33.0 255.255.255.0
router by default - 192.168.33.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
wi - fi IP dhcp pool
import all
network 192.168.44.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.44.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
DMZ IP dhcp pool
import all
network 192.168.55.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.55.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
router by default - 192.168.22.254
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
IP dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default router 192.168.10.254
192.168.10.10 DNS server 202.50.246.41 202.50.246.42
local domain name
-192.168.10.10 NetBIOS name server
h-node NetBIOS node type
!
!
IP domain name of domain
name-server IP 192.168.10.10
IP cef
connection-for block 180 tent 3-180
Timeout 10
VLAN ifdescr detail
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-3956567439
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 3956567439
revocation checking no
rsakeypair TP-self-signed-3956567439
!
!
TP-self-signed-3956567439 crypto pki certificate chain
certificate self-signed 01 nvram:IOS - Self-Sig #1.cer
license udi pid sn CISCO2911/K9
!
!
the FULL_NET object-group network
full range of the network Description
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description without servers and router network
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
VTP version 2
password username admin privilege 0 password 7
!
redundancy
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
ISAKMP crypto key admin address b.b.b.b
invalid-spi-recovery crypto ISAKMP
!
!
Crypto ipsec transform-set esp - aes esp-sha-hmac SET
!
!
!
10 map ipsec-isakmp crypto map
the value of b.b.b.b peer
Set transform-set
match address 160
!
!
!
!
!
Interface Port - Channel 1
no ip address
waiting-150 to
!
Interface Port - channel1.1
encapsulation dot1Q 1 native
IP 192.168.11.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.10
encapsulation dot1Q 10
IP address 192.168.10.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.22
encapsulation dot1Q 22
IP 192.168.22.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.33
encapsulation dot1Q 33
IP 192.168.33.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.44
encapsulation dot1Q 44
IP 192.168.44.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
Interface Port - channel1.55
encapsulation dot1Q 55
IP 192.168.55.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE $ 0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/2
Description $ES_LAN$
no ip address
automatic duplex
automatic speed
channel-group 1
!
interface GigabitEthernet0/0/0
IP address a.a.a.a 255.255.255.224
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
crypto map
!
IP forward-Protocol ND
!
no ip address of the http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0
IP nat inside source udp 500 interface GigabitEthernet0/0/0 500 a.a.a.a static
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
NAT_INTERNET extended IP access list
refuse the object-group ip FULL_NET 192.168.17.0 0.0.0.255
refuse the object-group ip FULL_NET 192.168.1.0 0.0.0.255
permit ip FULL_NET object-group everything
!
access-list 1 permit 192.168.44.100
access-list 23 allow 192.168.10.7
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
control plan
!
!
!
Line con 0
password password 7
opening of session
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
local connection
entry ssh transport
line vty 5 15
access-class 23 in
privilege level 15
local connection
entry ssh transport
!
Scheduler allocate 20000 1000
!
end
The ASA config:
: Saved : ASA Version 8.4(3) ! hostname C domain-name domain enable password password encrypted passwd passwd encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 shutdown ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 switchport access vlan 100 ! interface Ethernet0/6 switchport trunk allowed vlan 2,6 switchport mode trunk ! interface Ethernet0/7 shutdown ! interface Vlan1 description INTERNET mac-address 1234.5678.0001 nameif WAN security-level 0 ip address b.b.b.b 255.255.255.248 standby c.c.c.c ospf cost 10 ! interface Vlan2 description OLD-PRIVATE mac-address 1234.5678.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10 ! interface Vlan6 description MANAGEMENT mac-address 1234.5678.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10 ! interface Vlan100 description LAN Failover Interface ! boot system disk0:/asa843-k8.bin ftp mode passive clock timezone NZST 12 clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00 dns domain-lookup WAN dns server-group DefaultDNS name-server 208.67.222.222 domain-name domain same-security-traffic permit intra-interface object network obj-192.168.17.0 subnet 192.168.17.0 255.255.255.0 object network obj-192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.9.0 subnet 192.168.9.0 255.255.255.0 object network obj-192.168.33.0 subnet 192.168.33.0 255.255.255.0 object network obj-192.168.44.0 subnet 192.168.44.0 255.255.255.0 object network obj_any object network obj_any-01 object network NETWORK_OBJ_192.168.10.0_24 subnet 192.168.10.0 255.255.255.0 object network NETWORK_OBJ_192.168.17.0_24 subnet 192.168.17.0 255.255.255.0 object network subnet-00 subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service RDP tcp description RDP port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object 192.168.17.0 255.255.255.0 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network DM_INLINE_NETWORK_2 network-object 192.168.10.0 255.255.255.0 network-object 192.168.33.0 255.255.255.0 network-object 192.168.44.0 255.255.255.0 object-group network subnet-17 network-object 192.168.17.0 255.255.255.0 object-group network subnet-2 network-object 192.168.2.0 255.255.255.0 object-group network subnet-9 network-object 192.168.9.0 255.255.255.0 object-group network subnet-10 network-object 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP standard permit 192.168.17.0 255.255.255.0 access-list WAN_access_in extended permit ip any any log debugging access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging access-list WAN_access_in extended permit icmp x.x.x.x 255.255.255.248 192.168.10.0 255.255.255.0 access-list MANAGEMENT_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit ip any any log debugging access-list OLD-PRIVATE_access_in extended permit icmp any object-group DM_INLINE_NETWORK_1 access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list CiscoVPNClient_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0 access-list LAN_access_in extended permit ip any any log debugging access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 52000 logging monitor informational logging trap informational logging asdm informational logging from-address syslog logging recipient-address admin level errors logging host OLD-Private 192.168.17.110 format emblem logging debug-trace logging permit-hostdown mtu WAN 1500 mtu OLD-Private 1500 mtu Management 1500 ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0 ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0 failover failover lan unit primary failover lan interface failover Vlan100 failover polltime interface 15 holdtime 75 failover key ***** failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2 icmp unreachable rate-limit 1 burst-size 1 icmp permit 192.168.10.0 255.255.255.0 WAN icmp permit host x.x.x.x WAN icmp permit 192.168.17.0 255.255.255.0 WAN icmp permit host c.c.c.c WAN icmp permit host a.a.a.a WAN icmp deny any WAN icmp permit 192.168.10.0 255.255.255.0 OLD-Private icmp permit 192.168.17.0 255.255.255.0 OLD-Private icmp permit host a.a.a.a OLD-Private icmp permit host 192.168.10.0 Management icmp permit host 192.168.17.138 Management icmp permit 192.168.1.0 255.255.255.0 Management icmp permit host 192.168.1.26 Management icmp permit host a.a.a.a Management asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-10 subnet-10 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-2 subnet-2 no-proxy-arp nat (OLD-Private,any) source static subnet-17 subnet-17 destination static subnet-9 subnet-9 no-proxy-arp nat (Management,WAN) source static NETWORK_OBJ_192.168.17.0_24 NETWORK_OBJ_192.168.17.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup ! object network subnet-00 nat (OLD-Private,WAN) dynamic interface access-group WAN_access_in in interface WAN access-group OLD-PRIVATE_access_in in interface OLD-Private access-group MANAGEMENT_access_in in interface Management route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa local authentication attempts max-fail 10 http server enable http b.b.b.b 255.255.255.255 WAN http 0.0.0.0 0.0.0.0 WAN no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service resetoutside crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Office 2 match address WAN_1_cryptomap crypto map Office 2 set peer a.a.a.a crypto map Office interface WAN crypto map MAP 10 set peer a.a.a.a crypto map MAP 10 set ikev1 transform-set OFFICE crypto ikev2 enable WAN crypto ikev1 enable WAN crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet timeout 5 ssh a.a.a.a 255.255.255.255 WAN ssh timeout 30 ssh version 2 console timeout 0 dhcpd auto_config OLD-Private ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 129.6.15.28 source WAN prefer webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ssl-client ssl-clientless group-policy admin internal group-policy admin attributes dns-server value 208.67.222.222 156.154.70.1 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_a.a.a.a internal group-policy GroupPolicy_a.a.a.a attributes vpn-tunnel-protocol ikev1 ikev2 group-policy CiscoVPNClient internal group-policy CiscoVPNClient attributes vpn-idle-timeout 30 vpn-session-timeout none vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value CiscoVPNClient_splitTunnelAcl username admin password password encrypted privilege 15 tunnel-group admin type remote-access tunnel-group admin general-attributes address-pool vpnclient authorization-server-group LOCAL default-group-policy admin tunnel-group a.a.a.a type ipsec-l2l tunnel-group a.a.a.a general-attributes default-group-policy GroupPolicy_a.a.a.a tunnel-group a.a.a.a ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group CiscoVPNClient type remote-access tunnel-group CiscoVPNClient general-attributes address-pool vpnclient default-group-policy CiscoVPNClient tunnel-group CiscoVPNClient ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global smtp-server 192.168.17.10 prompt hostname context no call-home reporting anonymous call-home contact-email-addr admin contact-name admin profile CiscoTAC-1 no active : end asdm image disk0:/asdm-647.bin asdm location c.c.c.c 255.255.255.255 WAN asdm location 192.168.17.2 255.255.255.255 WAN asdm location a.a.a.a 255.255.255.255 OLD-Private no asdm history enable
ASA:
# show crypto ipsec his
There is no ipsec security associations
# show crypto isakmp his
There are no SAs IKEv1
There are no SAs IKEv2
2911:
#show crypto ipsec his
Interface: GigabitEthernet0/0/0
Tag crypto map: map, addr a.a.a.a local
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.17.0/255.255.255.0/0/0)
current_peer b.b.b.b port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors of #send 4, #recv errors 0
local crypto endpt. : a.a.a.a, remote Start crypto. : b.b.b.b
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0/0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
-Other - arrival ah sas:
-More-
-More - CFP sas on arrival:
-More-
-More - outgoing esp sas:
-More-
-More - out ah sas:
-More-
-More - out CFP sas:
Thanks for your time,
Nick
Please add
map Office 2 set transform-set OFFICE ikev1 crypto
If it is not helpful, please enable debug crypto ipsec 255 and paste here.
HTH. Please rate if it was helpful. "Correct answer" will be also pleasant.
Maybe you are looking for
-
Does anyone know if I can get a face somewhere for my Apple Watch who has time Digial seconds? I work in health care and it would be so much easier if I can use a digital face.
-
I have a HP Pavilion p028TX 15 NB PC all unable will ask for power on password for windows. He said disabled system 55541760 after 3 failed attempts. Help, please!
-
HP Envy 4504e: HP Envy 4504e - stuck now @ impression.
Hello I have a HP Envy 4504e that is stuck at "Now Printing". I went through the support of self-service on the withdrawal of the cartridges, pull the power for more than 60 seconds, turn back on etc, but nothing helped. I can't print from Android u
-
Hi hope you can help. my hp Pavilion g6 no sound at all, in the taskbar there is an x on the sound, after going through a few basic tests the message I get is windows cannot verify the digital signature for the drivers indicating the code 52 and also
-
problems printing and diagnosis
Photosmart 6520 works and gives the following problem: Does not print a document of more than one and a half pages without error message saying that the printer cannot print the job. In fact, the error message is displayed even when successfully prin