License of IPSec Cisco ASA
Dear all,
I want to know how much maximum IPSec connection allowed in my Cisco ASA 5505.
I want to try VPN L2TP Mac and PC
TQ
The devices allowed for this platform:
The maximum physical Interfaces: 8 perpetual
VLAN: 20 unrestricted DMZ
Double ISP: Activated perpetual
VLAN Trunk Ports: 8 perpetual
Guests of the Interior: perpetual unlimited
Failover: Active / standby perpetual
Encryption - A: enabled perpetual
AES-3DES-Encryption: activated perpetual
AnyConnect Premium peer: 25 perpetual
AnyConnect Essentials: 25 perpetual
Counterparts in other VPNS: 25 perpetual
Total VPN counterparts: 25 perpetual
Shared license: activated perpetual
AnyConnect for Mobile: activated perpetual
AnyConnect VPN phone Cisco: activated perpetual
Assessment of Advanced endpoint: activated perpetual
Proxy UC phone sessions: 24 perpetual
Proxy total UC sessions: 24 perpetual
Botnet traffic filter: activated perpetual
Intercompany Media Engine: Disabled perpetual
Cluster: Disabled perpetual
With this device you can have 25 concurrent VPN sessions, regardless of the type.
Tags: Cisco Security
Similar Questions
-
Capacity of the crypto ipsec Cisco ASA 9.1 stats system failures
Hello
I'm trying to find some performance issues on one ASA centralized and some site VPN settings. I already address bits of fragmentation and flow control which seeks to solve performance problems, but I came across something that I can't identify to understand what he said.
I can't seem to find any documentation that explains what triggers the counter for "Capacity of the system failures" on the stats command see the crypto ipsec:
crypto ipsec sho stats #.
IPsec statistics
-----------------------
The active tunnels: 41
Previous tunnels: 8999
Incoming traffic
Bytes: 8292491846127
Decompressed bytes: 8292491846127
Packages: 25115896849
Packet ignored: 1291637
Review of chess: 220
Authentications: 25114592561
Authentication failures: 0
Decryptions: 25114592564
Decryption failures: 0
TFC packages: 12836
Fragments of decapsules who need reassembly: 17418535
Invalid ICMP received errors: 0
Invalid ICMP received errors: 0
Outgoing
Bytes: 37818073925334
Uncompressed bytes: 37818837785556
Packages: 38014583887
Packet ignored: 2413164
Authentications: 38020189281
Authentication failures: 0
Encryption: 38020191839
Encryption failures: 0
TFC packets: 0
Success of fragmentation: 7763651
Fragmentation before successses: 7763651
After fragmentation success stories: 0
Fragmentation failures: 267158
The failures of previous fragmentation: 267158
Fragmentation failures after: 0
Fragments created: 15527302
PMTUs sent: 267158
PMTUs rcvd: 185
Protocol of failures: 0
Missing chess SA: 255102
Outages of capacity: 3167258Does anyone have knowledge of what this is referring to specifically?
Cheers, Dale
Hello
What is the model of the ASA you have and how many vpn sessions you get on average during peak hours?
Lack of capacity occurs when it is short of ability of the material or the use...
Concerning
Knockaert
-
licenses for a cisco ASA active/passive pair AnyConnect SSL
Hi all. I buy 2 5512 x ASAs is configured like a pair of active/passive as a VPN device. I need to purchase licenses for both devices anyconnect? Thank you
Licenses AnyConnect Essentials (or premium) are combined on a cluster failover ASA. Reference
So, buy once only the quantity and type of licenses you need based on your end users - not based on the number of ASAs - and they will be available at the ASA Active whether primary or secondary unit.
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
License problem of security context for Cisco ASA 5585
Hello
Can someone help me in license number for the ASA 5585 security environment,
We recently purchased a box ASA (5585) which has 2 default security context and we had like to have context for this ASA 25 permit and we got two codes PAK of Cisco for 20 licenses and 5 respectively.
When we generate the license key by combining the two codes Portal Cisco PAK and apply the same on ASA, do not see the 25; Instead, it shows only 20.
Is it really possible to stack context like 20 + 5 licenses or to buy a PAK code for any license 25 context?
Please advise me on this.
Thanks in advance!
Kind regards
Kam
Hello
This should probably not be handled with Cisco directly or through the company that got you the license.
To my knowledge, there is a possibility that the you have everything first to install a license key and the other licence could be upgraded from the previous license until the following limit of function under license.
I had several occasions where I was provided with the wrong license and had to communicate with Cisco/provider to get licenses appropriate for my device.
While I was announcing this response I checked the document of licensing for ASA models. It seems to me that there is no security content license 25 for the SAA. The deadline is 20 and license of SC 50 SC
Check this document:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/intro_license.html#wp1230400
-Jouni
-
Hi, please I need a help.
I have an IPSEC tunnel with my Cisco ASA and a PFsense Peer, VPN is to include phase 2.
But I could not send pkts on this VPN.
My internal network - 10.2.0.0/17, 172.31.2.2/32 customer network
==========================
FW - counterpart of the ipsec VPN - 01 # sho 177.154.83.34
address of the peers: 177.154.83.34
Tag crypto map: outside_map0, seq num: 4, local addr: 200.243.146.20access extensive list ip 10.2.0.0 outside_cryptomap_8 allow 255.255.128.0 host 172.31.2.2
local ident (addr, mask, prot, port): (10.2.0.0/255.255.128.0/0/0)
Remote ident (addr, mask, prot, port): (172.31.2.2/255.255.255.255/0/0)
current_peer: 177.154.83.34#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 2957, #pkts decrypt: 2957, #pkts check: 2957
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 1local crypto endpt. : 200.243.146.20/0, remote Start crypto. : 177.154.83.34/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: C1A13463
current inbound SPI: 5B6B0EABSAS of the esp on arrival:
SPI: 0x5B6B0EAB (1533742763)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 9179136, crypto-card: outside_map0
calendar of his: service life remaining key (s): 858
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xC1A13463 (3248567395)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 9179136, crypto-card: outside_map0
calendar of his: service life remaining key (s): 858
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001===========================
Entry packet - trace FW-VPN-01 # outside icmp 10.2.110.10 1 172.31.2.2 0
Phase: 1
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoorsPhase: 2
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:Result:
input interface: outdoors
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule===============================
FW-VPN-01 # sho running-config | 177.154.83.34 Inc.
outside_map0 card crypto 4 peers set 177.154.83.34
internal GroupPolicy_177.154.83.34 group strategy
attributes of Group Policy GroupPolicy_177.154.83.34
tunnel-group 177.154.83.34 type ipsec-l2l
tunnel-group 177.154.83.34 general-attributes
Group - default policy - GroupPolicy_177.154.83.34
IPSec-attributes tunnel-group 177.154.83.34==============================
FW-VPN-01 # sho running-config | 172.31.2.2 Inc.
network 172.31.2.2_32 object
Home 172.31.2.2
access-list sheep extended 10.2.0.0 ip allow 255.255.128.0 host 172.31.2.2
access extensive list ip 10.2.0.0 inside_access_in allow 255.255.128.0 object 172.31.2.2_32
permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_5
permit access list extended ip object 10.2.0.0_17 object 172.31.2.2_32 outside_cryptomap_8
NAT (inside, all) source 10.2.0.0_17 destination 10.2.0.0_17 static static 172.31.2.2_32 172.31.2.2_32 non-proxy-arp-search to itineraryso you see the packets traverse your inside interface but no response back. Please check if you have a route to 172.31.2.2 host in your internal network pointing traffic to the ASA.
the package shows plotter drop because you run of out-of-in and in this case, you must specifically that traffic on the acl allow external interface. When the real traffic arrives through vpn, it checks for sysopt and then the interface access list is bypassed. but when you do a package tracer, simulated package does not in reality of vpn and therefore we have that allow outside interface acl for package tarcer to enable.
-
Documentation for cisco asa ipsec l2tp / windows 7
Hello
I need to configure a few cisco asa 5510's for remote access VPN using l2tp ipsec. One of the requirements is that no additional vpn clients to connect. We only use the client included in Windows 7 x 86. Is there documentation on configuration of this device or a clear statement by saying that it is not taken in charge or possible yet?
Thank you
m.
Hey well at least on the errors of phase 1 more.
ASA is basically saying that's not the choice of the proposal.
Here's what is configured...
-------crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5-------
Here is what is proped:
-----
(1) proposal payload
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_AES
Encapsulation mode: the UDP Transport
Key length: 128
Authentication algorithm: SHA1(2) proposal payload
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_3DES
Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1(3) proposal payload
Protocol-Id: PROTO_IPSEC_ESP
Transform-Id: ESP_DES
Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1------------------
Please also visit:
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html
I see that you have 1 default set PFS is 0.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2193372
NAT-traversal missing?
https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html#wp1046219
-
Cisco ASA - l2l IPSEC tunnel two dynamic hosts
Hello
I have two firewall Cisco ASA an i want to made a l2l between two ipsec tunnel, the problem is that both parties have a dynamic IP, on both sides I have configured dyndns, can I did an ipsec tunnel using dyndns name such as address peer?
Hello
ASA supports only the RFC compliant method for updates used with dynamic DNS, not updates HTTP, such as dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcrOn ASA, it is not possible to configure the tunnel between two dynamic peers.
You will need to have a static end to configure static to dynamic IP.For routers, you can follow this link.
I hope this helps.Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
To activate SSL license on cisco ASA
Hello
I ordered ASA with 50 ssl licneses.
But due to the avialibilty of the product it shipping for me.
I was delivered with the ASA with basic license is to say ASA - Bun - like SSL license K8.Then will take some time I was given a temporary license/activation key.
Can someone let me know how to enable these licenses to begin work on SSL. My camera isn't in production right now.
I will get permanent license in 3-4 weeks and still once I need it at this time here for the new license.
Hope that the procedure would be more or less the same.
Please guide.
Reg,
Sushil
Sushil
Check out this doc and come back if you have any other questions.
Jon
-
Dear team,
I have a Cisco asa firewall, I would enable remote vpn (ssl vpn or customer).
Please check the joint view version and suggest which are missing or need to enable them.
Therefore, I will obtain concrete results and enable VPN.
concerning
SecIT
With the license and the software version you have, you can only run the existing IPsec VPN client.
To run AnyConnect SSL VPN client-based, you must acquire a license AnyConnect Essentials. For your platform that would be L-ASA-AC-E -5550=. (Clientless SSL VPN would be a different reference number.)
I also suggest upgrading your system beyond 8.2 software (2) the current recommended release would be 9.0 (3). (9.1 (5) is the last on the 5550.)
-
AnyConnect VPN for Cisco ASA 5505 refused connections
I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:
interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any anyaccess-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outsidewebvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enablegroup-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpnpolicy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!When I try to connect, I get this error in the real-time log viewer:
TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
Here are the details of the license:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledThis platform has a Base license.
Can someone tell me what I am doing wrong or what access list I'm missing?
I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.
Hi Matt,
You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:
WebVPN
tunnel-group-list activate
Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.
HTH
Herbert
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
Cisco asa geo blocking.
Is there a way by which we can block all connections from a country on Cisco ASA, without us manually define an ACL.
Hardware Cisco ASA5510-
-Version 9.0
N °
This kind of functionality is available in newer models (ASA 5500 - X series) when you add modules of services of firepower with their associated licenses.
They can download and automatically update a database of geolocation you can use in your access policy.
Maybe you are looking for
-
The parallel model configuration help
This is my first time posting, but I'm a long time reader... First of all, I consider my knowledge novice Teststand high to low intermidiate level. I created a sequence test to aid in Teststand that call labview vi. My test sequence tests 5 units at
-
Does not work! Help, please!
OK well I was downloading an update, then my lil brother unplugged. Now, it won't turn even if I charge it for 12 hours! I tried the second 15 reset thing did not work, and when I plugged it into the wall instead of the computer (when connected to th
-
The HP OfficeJet Pro 8600 does support e-print? I am running Win 7 Pro 64-bit
Can you please tell me: the HP OfficeJet Pro 8600 does support e-print? I can't find or generate or figure out how to create an e-mail address for this printer. Thank you.
-
How to install fonts in Windows 7?
Original title: hidden file Let me start by saying that (1) I Folderoptions/view/files n hidden folders CHECKED (2) Hide protected files from the op system not CHECKED (3) I have administrator privileges. (4) operating system is windows7 Now, there i
-
I get an error code 10 when using the network card.
Hello When you use my internet dongle all my ports usb stopped working. cards network is to come up with and error 10 code. I uninstalled the adapter and re installed however it is always delivered with the same code. If I try to update it says I'm u