License problem of security context for Cisco ASA 5585

Hello

Can someone help me in license number for the ASA 5585 security environment,

We recently purchased a box ASA (5585) which has 2 default security context and we had like to have context for this ASA 25 permit and we got two codes PAK of Cisco for 20 licenses and 5 respectively.

When we generate the license key by combining the two codes Portal Cisco PAK and apply the same on ASA, do not see the 25; Instead, it shows only 20.

Is it really possible to stack context like 20 + 5 licenses or to buy a PAK code for any license 25 context?

Please advise me on this.

Thanks in advance!

Kind regards

Kam

Hello

This should probably not be handled with Cisco directly or through the company that got you the license.

To my knowledge, there is a possibility that the you have everything first to install a license key and the other licence could be upgraded from the previous license until the following limit of function under license.

I had several occasions where I was provided with the wrong license and had to communicate with Cisco/provider to get licenses appropriate for my device.

While I was announcing this response I checked the document of licensing for ASA models. It seems to me that there is no security content license 25 for the SAA. The deadline is 20 and license of SC 50 SC

Check this document:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/intro_license.html#wp1230400

-Jouni

Tags: Cisco Security

Similar Questions

It is recommended to have a vulnerability for Cisco ASA device scan.

Dear everybody.

I have a doubt about the analysis of vulnerabilities for Cisco ASA device. Currently we have a vulnerability to network devices include firewalls. But after race for cisco ASA vulnerability scanning, found nothing in the analysis report.

Is it is recommended to have a Cisco ASA vulnerability scanning and it will defeat the purpose of the firewall?

I do not understand you ask you can set the ASA to allow an external user, run an analysis on the internal network?

If so the answer is generally no. The ASA, by default, not allow incoming connections (or attempts of connections) that are not explicitly allowed in a list of inbound access (applied to the external interface). In most cases there should also be (NAT) network address translation rules configured.

If you had a remote access VPN, you can allow external scanner to connect through that, then they would have the necessary access to analyze internal systems (assuming that allowed VPN access to all internal networks)

Cisco asa 5585 syslog options for ips?

We have CISCO ASA 5585 with a separate module for the IPS, I want to know what are the options for configuring syslog? Its almost impossible to find; and there are some forums on the internet that says cisco ips store the logs in native format / owner and cannot be exported.

Please provide details

Thank you.

Click on the following link

https://supportforums.Cisco.com/document/47881/SDEE-and-IPS

ASA 5510 w / license more lost security contexts

I have an ASA 5510 with license more than security and when I looked the devices a few days ago, I had 2 contexts, however after you have configured the port of Mgm as a regular port contexts show 0, why? I can't find anywhere on the internet where this problem occurred: this is the result of show worm:

Cisco Adaptive Security Appliance Software Version 7.0 (8)

Updated Sunday, 31 May 08 23:48 by manufacturers

System image file is "disk0: / asa708 - k8.bin.

The configuration file to the startup was "startup-config '.

SHIELDASA01 up to 21 hours 16 minutes

Material: ASA5510, 256 MB of RAM, processor Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256 MB

BIOS Flash M50FW080 @ 0xffe00000, 1024 KB

Hardware encryption device: edge Cisco ASA - 55 x 0 Accelerator (revision 0 x 0)

Start firmware: CNlite-MC-Boot-Cisco - 1.2

SSL/IKE firmware: CNlite-MC-IPSEC-Admin - 3.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

0: Ext: Ethernet0/0: the address is 0021.a025.2d3c, irq 9

1: Ext: Ethernet0/1: the address is 0021.a025.2d3d, irq 9

2: Ext: Ethernet0/2: the address is 0021.a025.2d3e, irq 9

3: Ext: Ethernet0/3: the address is 0021.a025.2d3f, irq 9

4: Ext: Management0/0: the address is 0021.a025.2d3b, irq 11

5: Int: not used: irq 11

6: Int: not used: irq 5

The devices allowed for this platform:

The maximum physical Interfaces: unlimited

VLAN maximum: 25

Internal hosts: unlimited

Failover: Active / standby

VPN - A: enabled

VPN-3DES-AES: enabled

Security contexts: 0

GTP/GPRS: disabled

VPN peers: 150

This platform includes an ASA 5510 Security Plus license.

I'm not showing the serial number and keys licese for obivious reasons. Any help? Thanks in advance.

You might want to try upgrading your IOS on the SAA, see if it can help, can you check the firewall mode (single or multiple) you're currently on? is your asa transparant or routed?

AnyConnect VPN for Cisco ASA 5505 refused connections

I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:

interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable

group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn

policy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!

When I try to connect, I get this error in the real-time log viewer:

TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

Here are the details of the license:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Can someone tell me what I am doing wrong or what access list I'm missing?

I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

Hi Matt,

You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

WebVPN

tunnel-group-list activate

Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

HTH

Herbert

Documentation for cisco asa ipsec l2tp / windows 7

Hello

I need to configure a few cisco asa 5510's for remote access VPN using l2tp ipsec. One of the requirements is that no additional vpn clients to connect. We only use the client included in Windows 7 x 86. Is there documentation on configuration of this device or a clear statement by saying that it is not taken in charge or possible yet?

Thank you

m.

Hey well at least on the errors of phase 1 more.

ASA is basically saying that's not the choice of the proposal.

Here's what is configured...
-------

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

-------

Here is what is proped:

-----

(1) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_AES

Encapsulation mode: the UDP Transport
Key length: 128
Authentication algorithm: SHA1

(2) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_3DES

Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1

(3) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_DES

Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1

------------------

Please also visit:

https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

I see that you have 1 default set PFS is 0.

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2193372

NAT-traversal missing?

https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html#wp1046219

Can someone give me details and difficulty regarding the vulnerability of traumatic psychosis for Cisco ASA version 5?

We have experienced frm, our compliance team that we run in traumatic psychosis wanted vulnerabity so know the fix and document...

Hi James,

We have a PSIRT filed regarding the vulnerability of traumatic psychosis, please see details below:

CSCur00511 Evaluation of the ACS for CVE-2014-6271 and CVE-2014-7169

https://Tools.Cisco.com/bugsearch/bug/CSCur00511/?reffering_site=dumpcr

Here is the information of fixed code to various versions:

Fixed code:
Patch for CSCur00511 of the DDT is ready and available on CCO.
The patch is included in all update rollups version 5.4.0.46.7/5.5.0.46.6/5.6.0.22.1 and later. We recommend that you download the latest cumulative patches.

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.4 / 5.4.0.46.0

Patch file name: 5-4-0-46 -.tar.gpg
Read me and displays instructions: Acs-5-4-0-46--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.5 / 5.5.0.46

Patch file name: 5-5-0-46 -.tar.gpg
Read me and displays instructions: Acs-5-5-0-46--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.6 / 5.6.0.22

Patch file name: 5-6-0-22 -.tar.gpg
Read me and displays instructions: Acs-5-6-0-22--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.3 / 5.3.0.40

Patch file name: 5-3-0-40 -.tar.gpg
Read me and displays instructions: Acs-53 - Readme.txt

Kind regards

Tushar Bénard

Please evaluate the post if you find it useful!

Updates for Cisco ASA

What are the steps to enable to Qualys do a scan an ASA5505 IDS/IPS?

What are the steps to apply the update on an ASA5505 during the "Cisco PIX invalid TCP Checksum back vulnerability"?

What the patch for CVE-2014-8730?

You ASA has no IPS module, so there is no need to do something special to enable a scan from Qualys IDS/IPS.

Your ASA software is very old - like 8-1/2 years. The currently recommended for this model version is 9.1 (7).

You must first upgrade to 8.4 (6) then to 9.1 (7). This is stated in the Release Notes which have a link to a detailed guide.

SMARTnet support for a single ASA 5505 is only US $71 for a year. This material includes software and support of TAC. Part number "CON-SNT-AS5K8" applies and can be purchased by any authorized Cisco distributor or partner.

Problems after security update for Windows 7

Recently, my security software - microsoft Windows 7 security, conducted a download and install. After the installation, I'm not able to use the features of Windows 7. My GFxUI does not work, my media center does not work, the computer is a mess. I did a restore of the system without success. Why does this work? That's happened and how the problems can be repaired without having to reinstall again?

Hello

Method 1:

You can consult in this regard of the installed update is causing the problem by removing the updates and install them one at a time. To check the updates are installed to follow the link given below.

http://Windows.Microsoft.com/en-us/Windows7/see-which-Windows-updates-are-installed

Method 2:

Alternatively, you can check if this is as a result of the third-party application installed on your computer. To identify the program that is causing the issue configures your computer to clean boot. To configure the boot of the computer follow the link below.

How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7

http://support.Microsoft.com/kb/929135

Note: When you are finished troubleshooting, follow step 7 article to start on normal startup.

Hope this information is useful.

Amrita M

Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think.

How to set up the ASDM/HTTP access for Cisco ASA firewall

Hi all

I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)

Anyone would be abe to advise on a guide / Solution.

Thank you very much

If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command

ASA-32-22 (config) # aaa authentication http console?

set up the mode commands/options:

LOCAL server predefined Protocol AAA 'local' tag

Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group

authentication

After the console you needd to defind the name of the AD server you have configured on the SAA.

You can do the same thing by using ASDM:

Change LOCAL to the announcement that there are listed.

I hope that answers your question.

Thank you

Jeet Kumar

Firewall high availability cisco asa can be divided into stand-alone license

I have two ASA5545-X with HA/active license and now my client has changed the designated and wants to divide these into stand-alone firewall. How will this affect the license? Y at - it no problem with that, or they will be able to run just fine as standalone firewall?

Thank you

Howard

Hello

To my knowledge if the client has obtained the ASA5545-x firewall initially with identical licenses it should be no problem using them separately.

Because your customer is currently using Active/active failover, this already means that firewalls are in multiple context mode. In turn, this means that he or she was not able to use all the VPN features licensed on the ASA pair and therefore received no VPN license on each unit.

So it seems to me that, given the information you have so much that there should be no problem using the firewall separately.

The single license related thing I can think of at the moment, it is that if you want to keep them in multiple context mode and only acquired license of security context for the other.

-Jouni

Cisco ASA 5505 VPN L2TP cannot access the internal network

Hello

I'm trying to configure Cisco VPN L2TP to my office. After a successful login, I can't access the internal network.

Can you jhelp me to find the problem?

I have Cisco ASA:

within the network - 192.168.1.0

VPN - 192.168.168.0 network

I have the router to 192.168.1.2 and I cannot ping or access this router.

Here is my config:

ASA Version 8.4 (3)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 198.X.X.A 255.255.255.248

!

passive FTP mode

permit same-security-traffic intra-interface

the net-all purpose network

subnet 0.0.0.0 0.0.0.0

network vpn_local object

192.168.168.0 subnet 255.255.255.0

network inside_nw object

subnet 192.168.1.0 255.255.255.0

outside_access_in list extended access permit icmp any any echo response

outside_access_in list extended access deny ip any any newspaper

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

IP local pool sales_addresses 192.168.168.1 - 192.168.168.254

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT dynamic interface of net-all source (indoor, outdoor)

NAT (inside, outside) source inside_nw destination inside_nw static static vpn_local vpn_local

NAT (exterior, Interior) source vpn_local destination vpn_local static static inside_nw inside_nw-route search

!

network vpn_local object

dynamic NAT interface (outdoors, outdoor)

network inside_nw object

NAT dynamic interface (indoor, outdoor)

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 198.X.X.B 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

AAA authentication enable LOCAL console

the ssh LOCAL console AAA authentication

AAA authentication http LOCAL console

Enable http server

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

IKEv1 crypto ipsec transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac

transport in transform-set my-transform-set-ikev1 ikev1 crypto ipsec mode

Crypto-map Dynamics dyno 10 set transform-set my-transformation-set-ikev1 ikev1

card crypto 20-isakmp ipsec vpn Dynamics dyno

vpn outside crypto map interface

Crypto isakmp nat-traversal 3600

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.1.0 255.255.255.0 inside

SSH timeout 30

Console timeout 0

management-access inside

dhcpd address 192.168.1.5 - 192.168.1.132 inside

dhcpd dns 75.75.75.75 76.76.76.76 interface inside

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal sales_policy group policy

attributes of the strategy of group sales_policy

Server DNS 75.75.75.75 value 76.76.76.76

Protocol-tunnel-VPN l2tp ipsec

user name-

user name-

attributes global-tunnel-group DefaultRAGroup

address sales_addresses pool

Group Policy - by default-sales_policy

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

tunnel-group DefaultRAGroup ppp-attributes

ms-chap-v2 authentication

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13

: end

Thanks for your help.

You must test with 'real' traffic on 192.168.1.2 and if you use ping, you must add icmp-inspection:

Policy-map global_policy

class inspection_default

inspect the icmp

--

Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Cisco asa 5505 and centos VPN server connection

Hi all

Please I want to set up a VPN between Cisco asa 5505 and centos server.

Here's my senerio

-------------------------

ASA 5505

Public IP 155.155.155.2

Local NETWORK: 192.168.6.X

CentOS Server

------------------

Public ip address: 155.155.155.6

Thank you guys

Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

If the remote access, here are the sample configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

Cisco VPN problem with security update KB3057839 for Vista

Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.

Mike

See this on the real issue:

http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html

It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

License problem of security context for Cisco ASA 5585

Similar Questions

Maybe you are looking for