Monitor IPS Cisco ASA

Hello

I have configured the IPS in my ASA 5520, but I can't find my IPS is working or not. The only thing I can see CPU usage in IDM. Can you help me please how I can view the IPS module activity? I have installed IDM & ASDM in my PC.

Thank you.

Concerning

Mauduit

Please check the Inspection by IDM or IPS CLI (see the virtual sensor stats).

Using the "show stats-sensor virtual", it also shows, the number of packets is processed, what signatures are updated with fire, etc..

Kind regards

Sawan Gupta

Tags: Cisco Security

Similar Questions

Environmental monitoring of Cisco ASA

Hello, we have an ASA5510 I think about overheating, as fans regularly turn up to the maximum speed for about 10 minutes.

Is there a way to display the parameters of the environmental on the SAA as the 'show environment' command on a router?

Concerning

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=firewalling&TopicId=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc1eba4

Cisco asa 5585 syslog options for ips?

We have CISCO ASA 5585 with a separate module for the IPS, I want to know what are the options for configuring syslog? Its almost impossible to find; and there are some forums on the internet that says cisco ips store the logs in native format / owner and cannot be exported.

Please provide details

Thank you.

Click on the following link

https://supportforums.Cisco.com/document/47881/SDEE-and-IPS

The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

Here is the response from Cisco itself:

http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

Q: how is Cisco AVS Firewall application differs by a network firewall?

A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

Concerning

Farrukh

Questions of pre-installation on IPS on Cisco ASA Cluster

Hello

I'm looking for some configuration directives and IPS.

I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.

We have a customer who requires their web servers to be protected with the IPS Module. I have the following questions:

1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

2. can you syslog alerts?

3. is it possible to use snmp around alert also interrupts?

4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his)

a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to

the firewall, what is the best way to go about this?

5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect

a server?

7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.?

A lot of questions! I hope someone can help

Thanks a mill

1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)

2. can you syslog alerts?

N ° the cisco IPS OS doesn't support syslog.

3. is it possible to use snmp around alert also interrupts?

Yes. But you must set the 'action' on each signature that you want to send a trap.

4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his)

a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to

the firewall, what is the best way to go about this?

Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.

5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

No syslog. You can set alerts email on a per-signature basis.

6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect

a server?

Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.

7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.?

No syslog.

-Bob

Detection of injections SQL with IDS/IPS on cisco ASA?

Hello

Is it possible to detect or prevent attacks by injecting SQL using Cisco IDS / IPS on ASA or with regular expressions?

Is any signature available in IDS/IPS for this? And what is effective, is in terms of the generation of correct alarms?

Thanks in advance

Deepak,

We have several signatures to detect generic SQL injection attacks in the family x-5930 of signatures.

Cisco ASA IPS with enforcement

Hi all

I don't know if this is the best place to connect to this application, because it comes to ASA and convenient best IPS.

In any case, I was wondering what the best approach is to integrate a Cisco IPS GOAL module in an existing configuration of Cisco ASA, which uses the default application in the world control - i.e.

---------------------------

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

etc etc.

global service-policy global_policy

---------------------------

I was keen to inspect all traffic that was OK coming from our Web-based interface in our environment, while I was trying to do something like:

---------------------------

class-map ips

corresponds to the list of internet access

!

ips policy-map

class ips

IPS inline fail-closed

!

global service-policy global_policy

service-policy ips outside interface

---------------------------

This configuration would allow inspection of the demand for traffic going from inside to outside, but to redirect traffic from outside within the IPS?

Thank you

As for the configuration. It should inspect traffic in both directions as apply you it globally, and the map-IPS policy, it would redirect internet traffic to the inside network.

IPS of ASA journals collection

Hello

How can I collect newspapers of the IPS of the ASA? My firewall is ASA 5515 x, 9.1 (5) with module version IPS 4,0000 E4. Please let me know the commands to view the logs of IPS, also, how can I monitor these logs?

Kind regards

Martin

You must use either:

a. Device Manager IPS (basically ASDM pointed toward the IPS vs ASA address address and used real time connect to the visualization and the configuraiton)

(b) IPS Manager Express (keeps newspapers even when not active GUI, allows to manage several IPS), or

cisco Security Manager.

The first two are free tools for IPS unique or small facilities, and the third is a licensed - the company-wide product.

Add the date of activation of the system of detention of intrusions and Cisco ASA FirePOWER

Good evening

I want to add detention system intrusions to Cisco ASA FirePOWER license (with I.P.S, protection MPAs., Apps and URL). Is possible that? I have to buy another license or only (not free) upgrade?

the start date of the firepower Cisco ASA license-protection starts from the purchase date or from date of activation/installation on router ASA5506-X?

Hi again, my responses below:

(3) the L-ASA5506W-TAMÁS = is the correct part number if you are looking to get the model of 5506-X Wireless ASA. Don't know why ours (CDW) site has not listed :) However, we have listed promotional SKU: L-ASA5506WTAMC-1PR. For more information, I suggest that join you your CDW account manager. If you are not a customer CDW then I would suggest that you contact your local Cisco partner dealer

(4) here's the datasheet FireSIGHT:

http://www.Cisco.com/c/en/us/products/collateral/security/firesight-Management-Center/datasheet-C78-736775.html

The device can be virtual or physical

5.1) IOS-base-2960 - I'm not sure I understand the question. Can you elaborate a bit more on what you're asking here?

5.2) I.D.S. requires no additional licenses. It is part of the solution if you buy above subscriptions. The main difference here is that IPS (Intrusion Prevention System) is deployed in line and he will drop the traffic/connections if a malicious activity is detected. IDS (Intrusion Detection System) is monitor only. Thus, if the malicious traffic is detected, firepower will alert you to this topic but he will drop all traffic.

3DES/5,3) AES will be included at the time of the references you listed.

Thank you for evaluating useful messages!

Cisco ASA 5510 + license + AIP - SSM

Hello.

I have this box.

I have a few questions about it.

(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

Please help me.

(1) you must Smartnet in order to download the software from the download from cisco.com site.

(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

(3) Yes, the basic license is OK for the AIP module.

(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

Hope that answers your questions.

Filtering in Cisco ASA using module sfr Web

Hello

I have Cisco ASA 5515-x version 9.2 (2) and I use ASDM version 7.2 (2). I module 5.3.1 LICO of ASA. I want to activate the ASA web filtering feature. Previously, I used the method of expression regex in the SAA to perform url filtering, but it was not effective. Since then, I have the license for the management of firesight I want to use it.

But I am confused as some cisco docs say to set the firesight management in vmware while others offer to run the boot image in the SAA itself. What is the right way to do it?

The show module command, I see that my module of sfr is in place so that means the sfr module is pre-installed, and I can't do a lot of configurations?

It would be better for me to run ASA itself, but if it does not work like that then I will configure in VM. So please me clearify that concerns my options and my best chance.

If it should be installed on a virtual machine or ASA itself, then please give me the link to download the boot images and other files on cisco.com. I have the user name and password, but did not find the correct software.

Thank you in advance.

Your ASA 5515-x performs the minimum version required to support the fire power module (sfr). The module also runs the initial version of the software of the firepower for ASA-based module firepower.

With this combination of Software ASA and firepower on your device, you will need to use an external administrator of firepower to manage module (create strategies, apply licenses, monitor events etc.).

From ASA 9.5 (1) and firepower 6.0, you have the opportunity to make the most of the same functions via ASDM. You must upgrade the ASA (both ASDM) and firepower to achieve module.

In both cases, you should Protect licenses and URL filtering for the module of firepower.

The Quick Start Guide is here: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepo...

See also the excellent vidoe Lab Minutes guides for firepower: http://labminutes.com/video/sec/ASA%20FirePower

The ASA and ASDM software is here:

https://software.Cisco.com/download/type.html?mdfid=284143128&flowid=31442

Software module of firepower is here:

https://software.Cisco.com/download/release.html?mdfid=286271171&flowid=...

To run the power of fire management center VM, the software is here:

https://software.Cisco.com/download/release.html?mdfid=286259687&flowid=...

All the links above require a username cisco.com entitled (support agreement) to download the software.

Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?

The config below has had IPs/passwords has changed.

External Datacenter: 1.1.1.4

External office: 1.1.1.1

Internal data center: 10.5.0.1/24

Internal office: 10.10.0.1/24

: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate the password encrypted
passwd encrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin password encrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: end

Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

Add the statement of rule sheep in asa and try again.

NAT (inside) 0-list of access pixtosw

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

Concerning

IPS module - ASA 5585 x

Dears

I have set up the module IPS with the Setup command and are initialized, but when I tried to access the IPS via ASA ASDM and save any changes he continues to tell me that I don't have sufficient rights?

Please check the gasket and advise what causes this case?

Connect with a user "admin". But there is more "Viewer" - rights for this user. Open a session in the sensor with the default 'cisco' user and the password you provided when you first login and change the user role of the user "admin" to "administrator."

Cisco ASA 5505 site for multiple subnet of the site.

Hello. I need help to configure my cisco asa 5505.

I set up a VPN between two ASA 5505 tunnel

Site 1:

Subnet 192.168.77.0

Site 2:

Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

What I need help:

Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

Vlan480 is used for phones. In vlan480, we have a PABX.

Is this possible to do?

Any help would be much appreciated!

Config site 2:

: Saved

:

ASA Version 7.2 (2)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

names of

name 192.168.1.250 DomeneServer

name of 192.168.1.10 NotesServer

name 192.168.1.90 Steadyily

name 192.168.1.97 TerminalServer

name 192.168.1.98 eyeshare w8

name 192.168.50.10 w8-print

name 192.168.1.94 w8 - app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

IP 192.168.200.100 255.255.255.0

OSPF cost 10

!

interface Vlan2

nameif outside

security-level 0

IP address 79.x.x.226 255.255.255.224

OSPF cost 10

!

interface Vlan400

nameif vlan400

security-level 100

IP 192.168.1.1 255.255.255.0

OSPF cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

IP 192.168.210.1 255.255.255.0

OSPF cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

IP 192.168.2.1 255.255.255.0

OSPF cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

address 192.168.3.1 IP 255.255.255.0

OSPF cost 10

!

interface Vlan462

Vlan462-Suldalsposten nameif

security-level 100

192.168.4.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

IP 192.168.202.1 255.255.255.0

OSPF cost 10

!

interface Vlan480

nameif vlan480 Telefoni

security-level 100

address 192.168.20.1 255.255.255.0

OSPF cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

IP 192.168.10.1 255.255.255.0

OSPF cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

192.168.30.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan510

Vlan510-IsTak nameif

security-level 100

192.168.40.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

192.168.50.1 IP address 255.255.255.0

OSPF cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted x

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain default.domain.invalid

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

Lotus_Notes_Utgaaande tcp service object-group

UT og Frim Notes Description til alle

area of port-object eq

port-object eq ftp

port-object eq www

EQ object of the https port

port-object eq lotusnotes

EQ Port pop3 object

EQ pptp Port object

EQ smtp port object

Lotus_Notes_inn tcp service object-group

Description of the inn og alle til Notes

port-object eq www

port-object eq lotusnotes

EQ Port pop3 object

EQ smtp port object

object-group service Reisebyraa tcp - udp

3702 3702 object-port Beach

5500 5500 object-port Beach

range of object-port 9876 9876

object-group service Remote_Desktop tcp - udp

Description Tilgang til Remote Desktop

3389 3389 port-object range

object-group service Sand_Servicenter_50000 tcp - udp

Description program tilgang til sand service AS

object-port range 50000 50000

VNC_Remote_Admin tcp service object-group

Description Fra ¥ oss til alle

5900 5900 port-object range

object-group service Printer_Accept tcp - udp

9100 9100 port-object range

port-object eq echo

ICMP-type of object-group Echo_Ping

echo ICMP-object

response to echo ICMP-object

object-group service Print tcp

9100 9100 port-object range

FTP_NADA tcp service object-group

Suldalsposten NADA tilgang description

port-object eq ftp

port-object eq ftp - data

Telefonsentral tcp service object-group

Hoftun description

port-object eq ftp

port-object eq ftp - data

port-object eq www

EQ object of the https port

port-object eq telnet

Printer_inn_800 tcp service object-group

Fra 800 thought-out og inn til 400 port 7777 description

range of object-port 7777 7777

Suldalsposten tcp service object-group

Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

EQ Port pop3 object

EQ smtp port object

http2 tcp service object-group

Beach of port-object 81 81

object-group service DMZ_FTP_PASSIVE tcp - udp

55536 56559 object-port Beach

object-group service DMZ_FTP tcp - udp

20 21 object-port Beach

object-group service DMZ_HTTPS tcp - udp

Beach of port-object 443 443

object-group service DMZ_HTTP tcp - udp

8080 8080 port-object range

DNS_Query tcp service object-group

of domain object from the beach

object-group service DUETT_SQL_PORT tcp - udp

Description for a mellom andre og duett Server nett

54659 54659 object-port Beach

outside_access_in of access allowed any ip an extended list

outside_access_out of access allowed any ip an extended list

vlan400_access_in list extended access deny ip any host 149.20.56.34

vlan400_access_in list extended access deny ip any host 149.20.56.32

vlan400_access_in of access allowed any ip an extended list

Vlan450_access_in list extended access deny ip any host 149.20.56.34

Vlan450_access_in list extended access deny ip any host 149.20.56.32

Vlan450_access_in of access allowed any ip an extended list

Vlan460_access_in list extended access deny ip any host 149.20.56.34

Vlan460_access_in list extended access deny ip any host 149.20.56.32

Vlan460_access_in of access allowed any ip an extended list

vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

Vlan500_access_in list extended access deny ip any host 149.20.56.34

Vlan500_access_in list extended access deny ip any host 149.20.56.32

Vlan500_access_in of access allowed any ip an extended list

vlan470_access_in list extended access deny ip any host 149.20.56.34

vlan470_access_in list extended access deny ip any host 149.20.56.32

vlan470_access_in of access allowed any ip an extended list

Vlan490_access_in list extended access deny ip any host 149.20.56.34

Vlan490_access_in list extended access deny ip any host 149.20.56.32

Vlan490_access_in of access allowed any ip an extended list

Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan1_access_out of access allowed any ip an extended list

Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan1_access_out deny ip extended access list a whole

Vlan1_access_out list extended access permit icmp any any echo response

Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

vlan480_access_out of access allowed any ip an extended list

Vlan510_access_in of access allowed any ip an extended list

Vlan600_access_in of access allowed any ip an extended list

Vlan600_access_out list extended access permit icmp any one

Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

Vlan600_access_in_1 of access allowed any ip an extended list

Vlan461_access_in of access allowed any ip an extended list

Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

pager lines 24

Enable logging

asdm of logging of information

MTU 1500 Vlan1

Outside 1500 MTU

vlan400 MTU 1500

MTU 1500 Vlan450

MTU 1500 Vlan460-SuldalHotell

MTU 1500 Vlan461-SuldalHotellGjest

vlan470-Kyrkjekontoret MTU 1500

MTU 1500 vlan480-Telefoni

MTU 1500 Vlan490-QNapBackup

MTU 1500 Vlan500-HellandBadlands

MTU 1500 Vlan510-IsTak

MTU 1500 Vlan600-SafeQ

MTU 1500 Vlan462-Suldalsposten

no failover

Monitor-interface Vlan1

interface of the monitor to the outside

the interface of the monitor vlan400

the interface of the monitor Vlan450

the interface of the Vlan460-SuldalHotell monitor

the interface of the Vlan461-SuldalHotellGjest monitor

the interface of the vlan470-Kyrkjekontoret monitor

Monitor-interface vlan480-Telefoni

the interface of the Vlan490-QNapBackup monitor

the interface of the Vlan500-HellandBadlands monitor

Monitor-interface Vlan510-IsTak

Monitor-interface Vlan600-SafeQ

the interface of the monitor Vlan462-Suldalsposten

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 522.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

vlan400_nat0_outbound (vlan400) NAT 0 access list

NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

(Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

(vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

Access-group interface Vlan1 Vlan1_access_out

Access-group outside_access_in in interface outside

Access-group outside_access_out outside interface

Access-group vlan400_access_in in the vlan400 interface

vlan400_access_out group access to the interface vlan400

Access-group Vlan450_access_in in the Vlan450 interface

Access-group interface Vlan450 Vlan450_access_out

Access-group interface Vlan460-SuldalHotell Vlan460_access_in

Access-group interface Vlan460-SuldalHotell Vlan460_access_out

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

access to the interface vlan480-Telefoni, vlan480_access_out group

Access-group interface Vlan490-QNapBackup Vlan490_access_in

Access-group interface Vlan490-QNapBackup Vlan490_access_out

Access-group interface Vlan500-HellandBadlands Vlan500_access_in

Access-group interface Vlan500-HellandBadlands Vlan500_access_out

Access-group interface Vlan510-IsTak Vlan510_access_in

Access-group interface Vlan510-IsTak Vlan510_access_out

Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

Access-group Vlan600_access_out interface Vlan600-SafeQ

Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

x x encrypted privilege 15 password username

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.210.0 255.255.255.0 Vlan450

http 192.168.200.0 255.255.255.0 Vlan1

http 192.168.1.0 255.255.255.0 vlan400

No snmp server location

No snmp Server contact

SNMP-Server Community public

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 20 match address outside_20_cryptomap_1

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 62.92.159.137

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

ISAKMP crypto enable vlan400

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

tunnel-group 62.92.159.137 type ipsec-l2l

IPSec-attributes tunnel-group 62.92.159.137

pre-shared-key *.

Telnet 192.168.200.0 255.255.255.0 Vlan1

Telnet 192.168.1.0 255.255.255.0 vlan400

Telnet timeout 5

SSH 171.68.225.216 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd update dns both

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

!

dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

dhcpd option 3 ip 192.168.1.1 interface vlan400

vlan400 enable dhcpd

!

dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

dhcpd ip interface 192.168.210.1 option 3 Vlan450

enable Vlan450 dhcpd

!

dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

dhcpd enable Vlan460-SuldalHotell

!

dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

dhcpd enable Vlan461-SuldalHotellGjest

!

dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

dhcpd enable vlan470-Kyrkjekontoret

!

dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

!

dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

!

dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

dhcpd enable Vlan500-HellandBadlands

!

dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

Vlan510-IsTak enable dhcpd

!

dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

Vlan600-SafeQ enable dhcpd

!

dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

Vlan462-Suldalsposten enable dhcpd

!

!

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

!

context of prompt hostname

Cryptochecksum:x

: end

Site 1 config:

: Saved

:

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

passwd encrypted x

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.77.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE Telenor customer vpdn group

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

DNS server-group DefaultDNS

domain default.domain.invalid

outside_access_in list extended access permit icmp any any disable log echo-reply

access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Access-group outside_access_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 192.168.77.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 79.160.252.226

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.77.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group Telenor request dialout pppoe

VPDN group Telenor localname x

VPDN group Telenor ppp authentication chap

VPDN x x local store password username

dhcpd outside auto_config

!

dhcpd address 192.168.77.100 - 192.168.77.130 inside

dhcpd dns 192.168.77.1 on the inside interface

dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

dhcpd allow inside

!

dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

!

tunnel-group 79.160.252.226 type ipsec-l2l

IPSec-attributes tunnel-group 79.160.252.226

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:x

: end

Hello

The addition of a new network to the existing VPN L2L should be a fairly simple process.

Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

Looking at your configurations above it would appear that you need to the following configurations

SITE 1
- We add the new network at the same time the crypto ACL and ACL NAT0
access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

SITE 2
- We add new ACL crypto network
- We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration
outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

Comment by VLAN480-NAT0 NAT0 for VPN access-list

access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

These configurations should pretty much do the trick.

Let me know if it worked

-Jouni

Cisco ASA: Redundancy of double ISP VPN...

Hello, if it anyway to configure vpn site to site redundancy using a cisco asa. I know that I can configure the redundancy using two ISP on my cisco ASA, pointing to the same peer, but what if I need to point to different peers but to protect the same networks...

I know it's possible in routers using tunnels gre + ipsec or VTI, but if there of still something similar using cisco ASA?

Any help will be appreciated! Thank you!

Hello

Yes, Nagiswaren is right. For example, you have this:

Based on the image above and your answers, you need to configure something like this:

Subnet mask IP address name interface method
Ethernet0/0 outsideVPN 10.198.16.143 255.255.255.224 manual
Ethernet0/1 inside 172.31.255.1 255.255.255.0 Manual
Ethernet0/2 outside-VPN2 10.198.29.21 255.255.255.224 manual

Ethernet0/3 INTERNET 12.12.12.12 255.255.255.224 manual

155 extended access-list allow ip 10.0.20.0 255.255.255.0 10.0.10.0 255.255.255.0
IP 10.0.20.0 allow Access-list extended sheep 255.255.255.0 10.0.10.0 255.255.255.0

NAT (inside) 0 access-list sheep

Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5

correspondence address card crypto mymap 10 155
map mymap 10 set peer 1.1.1.1 crypto 2.2.2.2
mymap 10 transform-set 3DES-MD5 crypto card
card crypto mymap interface outsideVPN
crypto interface outside-VPN2 mymap map
ISAKMP crypto enable outsideVPN
ISAKMP crypto enable outside-VPN2

crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco123

tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
pre-shared-key cisco123

=============================================================================================

FOLLOW-UP OF THE OBJECT

Track 100 rtr 10 accessibility
ALS 10 monitor
type echo protocol ipIcmpEcho 4.2.2.2 interface outsideVPN
NUM-package of 3
frequency 10
Annex monitor SLA 10 life never start-time now

course INTERNET 0.0.0.0 0.0.0.0 12.12.12.1 1

Route outsideVPN 1.1.1.1 255.255.255.255 10.198.16.129 1 followed by 100

Route outsideVPN 2.2.2.2 255.255.255.255 10.198.16.129 1 followed by 100

Route outsideVPN 10.0.10.0 255.255.255.0 10.198.16.129 1 followed by 100
Route outsideVPN 4.2.2.2 255.255.255.255 10.198.16.129 1

Route outside-VPN2 1.1.1.1 255.255.255.255 10.198.29.1 254
Route outside-VPN2 2.2.2.2 255.255.255.255 10.198.29.1 254

Route outside-VPN2 10.0.10.0 255.255.255.0 10.198.29.1 254

I used 4.2.2.2 but you can use the isps1 IP address.

==========================ROUTER===================================================================
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2

access-list 133 allow ip 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

ISAKMP crypto key cisco123 address 10.198.16.143 No.-xauth

ISAKMP crypto key cisco123 address 10.198.29.21 No.-xauth

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

primary-card 10 map ipsec-isakmp crypto
defined by peer 10.198.16.143

defined by peer 10.198.29.21
game of transformation-ESP-3DES-SHA
match address 133

secondary-card 10 map ipsec-isakmp crypto
defined by peer 10.198.16.143

defined by peer 10.198.29.21
game of transformation-ESP-3DES-SHA
match address 133

interface FastEthernet0
IP 1.1.1.1 255.255.255.0
crypto primer-card card

interface FastEthernet1
IP address 2.2.2.2 255.255.255.0
card crypto high school-map

Interface Vlan1 * inside the interface *.
IP 10.0.10.1 255.255.255.0

1 IP sla monitor
Protocol type echo 4.2.2.2 ipIcmpEcho
timeout of 1000
frequency 3
threshold 2

IP sla monitor Appendix 1 point of life to always start-time now
accessibility of rtr 1 track 123

IP route 4.2.2.2 255.255.255.255 1.1.1.254 permanent
IP route 10.198.16.143 255.255.255.255 1.1.1.254 1 follow 123

IP route 10.198.29.21 255.255.255.255 1.1.1.254 1 follow 123

IP route 10.0.20.0 255.255.255.0 1.1.1.254 1 follow 123

IP route 10.198.16.143 255.255.255.255 2.2.2.254 200

IP route 10.198.29.21 255.255.255.255 2.2.2.254 200

IP route 10.0.20.0 255.255.255.0 2.2.2.254 200

-josemed

Monitor IPS Cisco ASA

Similar Questions

Maybe you are looking for