order of crypto ikev2

Hello

I am trying to configure an IPSEC VPN on a 2821 router, but it does not accept the command "ikev2 crypto.

I tried a few images of different software - 15.0 and 15.1 T & M train advsecurity and 15.0 advipservices. (Only have 64 MB flash so cannot load 15.1 advipservices.)

Is there something with the 2821 that does not support ikev2? I don't remember see whatever it is in the release notes, saying: it is only supported on specific models.

In the end, I am configuring a VPN for Windows Azure. They provide the sample configuration, (I'm working on some routers of the 880 series with 15.1 without any problem) has the following configuration:

Azure-proposal of crypto ikev2
encryption aes-cbc-256 aes-cbc-128 3des
the sha1 integrity
Group 2
output

Crypto ikev2 azure policy
proposal of Azur-proposal
output

From: https://msdn.microsoft.com/en-us/library/azure/dn133800.aspx?f=255&MSPPE...

Can I use this router?

What is different between 15.1 on the 880 series at the 2800?

Thank you

Jon

Hello

I looked at browser functionality of Cisco and what I see here is that no image of 2821 does support IKEv2, and it's the end of sale now images so no new testament be released.

Tags: Cisco Security

Similar Questions

Order the crypto isakmp his poster 2 VPN

Hi all!

Why my router shows me 2 VPN? Is this normal?

R1 #show crypto isakmp his

IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
10.10.0.5 10.10.0.2 QM_IDLE 1870 ACTIVE
10.10.0.2 10.10.0.5 QM_IDLE 1871 ACTIVE

For clarity, this shows that you have two sessions of IKE.

The situation can occur when:

1) both sides start IKE session at the same time.

(2) when one side initiates a generation of new key IKE SA (every 24 hours by default).

Most of the time is not a problem.

Check if your IPsec security associations are upward and do not beat.

Which allows to "consignment crypto session" is probably a good way to get visibility.

order isakmp crypto problem

Hello, I can not enter the command "crypto isakmp policy 10" on a router 2801 config mode, running the C2801-IPVOICEKP-M operating system.

The problem is the word isakmp. This is where the command will fail.

I only have options for 'crypto, key, pki ca. There is no option for «crypto isakmp...» ».

Can anyone offer any suggestions?

Thank you kindly.

Hello

You will need an advanced security
K9 image to send the command of such encryption.

Sent by Cisco Support technique iPhone App

How to configure the IKEv2 VPN on Mac OS Server 10.12

IKEv2 is mentioned in the release notes for Server 5.2 but I can't find instructions anywhere are related. Anyone know where I could find a tutorial to set up?

If you are referring to.

• New IKEv2 authentication method option or specify IPSec disconnect on timeout for VPN

Then it is a new feature for the profile on Server.app Manager is not a new feature of the VPN on Server.app server. You will need to use a different non-Apple supplied VPN server in order to implement IKEv2.

Note: as customers El Capitan or later, and iOS 9 or later support IKEv2. (iOS 8 had limited support.)

ASA IKEv2 Site 2 Site

Hello community!

I have a small LABORATORY and today, as I was playing with IKEv2 and according to my debugs Tunnels is set up, but I'm not and the ping does not succeed either :(

These are him debugs I am running:

Debug crypto platform 255 ikev2
Debug Protocol cryptographic ikev2 255

And that's what I see (Ref)

IKEv2-DISH-2: (386): idle time-out value: 30
IKEv2-DISH-2: (386): session timeout value: 0
IKEv2-DISH-2: (386): DfltGrpPolicy the value of group policy
IKEv2-DISH-2: (386): attr class overview
IKEv2-DISH-2: (386): Protocol tunnel set to: 0x5c
IKEv2-DISH-2: (386): the filter IPv4 ID not configured for the connection
IKEv2-DISH-2: (386): locking of the value of the Group: no
IKEv2-DISH-2: (386): the IPv6 filter ID not configured for the connection
IKEv2-DISH-2: (386): connection attributed the valid value true
IKEv2-DISH-2: (386): managed to recover uploading conn
IKEv2-DISH-2: (386): Recording Session after conn attr PASSED, no error recovery
IKEv2-DISH-2:
CONNECTION STATUS: REGISTERED... peer: 60.60.60.1:500, phase1_id: 60.60.60.1
IKEv2-PROTO-2: (386): initialization of DPD, configured for 10 seconds

But a few show said othersiwhe commands.

There is no ipsec security associations
ASA1-1 # show crypto ikev2 his

There are no SAs IKEv2
ASA1-1 # show crypto ipsec his

There is no ipsec security associations

I followed this guide: https://www.fir3net.com/Firewalls/Cisco/cisco-how-to-configure-an-ikev2-...

Thank you!

What is the remote device?

Are you sure that you use the same settings for encryption on both ends, and that the field of encryption is the same (but reversed to the wire) at the other end?

ASA L2L IKEv1 5520 no information of its crypto isakmp

Here is the config... and show isa scream his

----------------------------------------------------------------------------------------

Dathomir - ASA (config) # see the isa scream his

There are no SAs IKEv1

There are no SAs IKEv2
Dathomir - ASA (config) #.

----------------------------------------------------------------------------------------

Manual NAT policies (Section 1)
1 (inside) to the static (external) source inside static destination inside DAN DAN-NETWORK-route search
translate_hits = 0, untranslate_hits = 0

Manual NAT policies (Section 3)
1 (inside) to the dynamics of the source (on the outside) no matter what interface
translate_hits = 661, untranslate_hits = 0
Dathomir - ASA (config) #.

----------------------------------------------------------------------------------------

!
Dathomir - ASA host name

names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP address dhcp setroute
!
interface GigabitEthernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/2
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
IP 192.168.75.1 255.255.255.0
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
passive FTP mode
DNS server-group DefaultDNS
SW - domain name. Demers.com
network of the DAN - PUB object
host 1.1.1.1
the NATE-INSIDE object network
Home 192.168.75.5
network a group of objects inside
object-network 192.168.75.0 255.255.255.0
object-group network-DAN
object-network 192.168.75.0 255.255.255.0
list of permitted access to the INSIDE-IN scope ip any any newspaper
the INSIDE-IN access list extended deny ip any any newspaper
access OUTSIDE list / allowed extended inside host log 192.168.75.5 ip object DAN - PUB
VPN - DAN 192.168.75.0 ip extended access list allow 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
exploitation forest buffer-size 10000
recording of debug console
debug logging in buffered memory
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside static destination inside DAN DAN-NETWORK-route search
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group OUTSIDE / inside interface outside
group-access INTERIOR-IN in the interface inside
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.75.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 TS_ESP_AES256_SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
address for correspondence mymap 10 card crypto VPN - DAN
mymap 10 peer set 2.2.2.2 crypto card
mymap 10 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
card crypto mymap 10 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
crypto mymap 10 card value reverse-road
address for correspondence mymap 20 card crypto VPN - DAN
card crypto mymap 20 peers set 1.1.1.1
mymap 20 set transform-set TS_ESP_AES256_SHA ikev1 crypto card
crypto mymap 20 card value reverse-road
mymap outside crypto map interface
IKEv2 crypto policy 5
aes encryption
integrity sha
Group 2
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 5
life 86400
Telnet timeout 5
SSH 192.168.75.0 255.255.255.0 inside
SSH timeout 20
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd dns 8.8.8.8 4.4.2.2
dhcpd lease 3000
!
dhcpd address 192.168.75.5 - 192.168.75.5 inside
dhcpd dns 8.8.8.8 4.4.2.2 interface inside
dhcpd ip interface 192.168.75.1 option 3 inside
dhcpd 6 8.8.8.8 ip option 4.4.2.2 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN - DAN
user name password using a NAT L3LhK0WEjivHU8Xd encrypted privilege 15
tunnel-group 2.2.2.2 type ipsec-l2l
2.2.2.2 tunnel-group ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the http
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
aes encryption password
Cryptochecksum:5398307065bcf53ecaf5884259f1ea71
: end

-----------------------------------------------------------------------------------------------

DEBUG CRYPTO 255 IKEV1

RECV 73.206.149.11 PACKAGE
ISAKMP header
Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
Responder COOKIE: 00 00 00 00 00 00 00 00
Next payload: Security Association
Version: 1.0
Exchange type: Protection of identity (Main Mode)
Indicators: (none)
MessageID: 00000000
Length: 172
Payload security association
Next payload: Vendor ID
Booked: 00
Payload length: 60
DOI: IPsec
Situation: (SIT_IDENTITY_ONLY)
Proposal of payload
Next payload: no
Booked: 00
Payload length: 48
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI size: 0
number of transformations: 1
Transformation of the payload
Next payload: no
Booked: 00
Payload length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Description of the Group: Group 5
Encryption algorithm: AES - CBC
Key length: 256
Hash algorithm: SHA1
Authentication method: pre-shared key
Type of life: seconds
Life (Hex): 00 01 51 80
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
cb 80 91 3rd bb 69 90 6 08 63 81 b5 this 42 7 b 1f
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
94 19 53 10 ca 6f 17 a6 7 d 2C9 d 92 15 52 9 d 56
Vendor ID payload
Next payload: Vendor ID
Booked: 00
Payload length: 20
Data (in hexadecimal):
4 a 13 1 c 81 07 03 58 45 57 28 95 45 2f 0e f2 5 c
Vendor ID payload
Next payload: no
Booked: 00
Payload length: 24
Data (in hexadecimal):
40 48 b7 d5 6th e8 85 25 e7 7f 00 c2 d3 d6 bc
C0 00 00 00
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 172
11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, SA payload processing
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + NOTIFY (11) + (0) NONE total length: 100

ISAKMP header
Initiator COOKIE: 30 42 fb 1 4 d fc be 9f
Responder COOKIE: 0 d 4 c df a2 6 has 57 24
Next payload: Notification
Version: 1.0
Exchange Type: information
Indicators: (none)
MessageID: 00000000
Length: 100
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, proposals of all SA found unacceptable
August 11 at 08:14:40 [IKEv1] IP = 73.206.149.11, error during load processing: payload ID: 1
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, case of mistaken IKE MM Responder WSF (struct & 0xcefbce48) , : MM_DONE, EV_ERROR--> MM_START, EV_RCV_MSG--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM--> MM_START, EV_START_MM
August 11 at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, IKE SA MM:a2df0c4d ending: flags 0 x 01000002, refcnt 0, tuncnt 0
11 August at 08:14:40 [IKEv1 DEBUG] IP = 73.206.149.11, sending clear/delete with the message of reason

Hello

Your police ikev1 is

IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 5

And you found this peer

Description of the Group: Group 5
Encryption algorithm: AES - CBC
Key length: 256
Hash algorithm: SHA1
Authentication method: pre-shared key

If you have found the algorithm of encryption AES 256 of peers and you like AES

HTH

Averroès.

Problem with IKEv2 routes w using PSK and RADIUS

Hello

I have a 7 881 + (15.2 (4) M2) connected to a 1001 ASR (03.07.01.S) via the Internet. The goal is to set up DVTI on the ASR, use FlexVPN on the CPE and inject crypto IKEv2 itineraries in the VRF on the EP for subnets protected on the SCE when using pre-shared key for authentication and RADIUS to return the attributes.

I can get the tunnel works fine, but I can't get the cryptographic routes.

My configs:

7 881 + CPE:

Crypto ikev2 keyring Keychain-CPE

peer ASR

address

pre-shared key abcd

!

Profile of crypto ikev2 IKEV2-PROFILE-CPE

match one address remote identity 255.255.255.255

identity local fqdn cpe.ipsec.net

sharing front of remote authentication

sharing of local meadow of authentication

Keyring key chain local-CPE

DPD 30 2 periodic

!

Crypto ipsec transform-set esp - TFS-AES256-SHA-HMAC-aes 256 esp-sha-hmac

tunnel mode

!

by default the crypto ipsec profile

game of transformation-TFS-AES256-SHA-HMAC

profile ikev2 IKEV2-PROFILE-CPE

!

Crypto ikev2 client flexvpn FLEX

Peer 1

Customer inside Loopback0

customer connect Tunnel0

!

interface Loopback0

IP 255.255.255.255

!

interface Tunnel0

the negotiated IP address

source of tunnel Dialer2

ipv4 ipsec tunnel mode

dynamic tunnel destination

tunnel protection ipsec default profile

PE OF THE ASR:

Authorization group to the network IPSEC-AUTHOR of AAA AAA-GROUP-IPSEC-RADIUS

!

Crypto ikev2 60 2 dpd periodicals

!

Profile of crypto ikev2 IKEV2-PROFILE-ASR

corresponds to fvrf FVRF

match identity fqdn remote domain ipsec.net

sharing front of remote authentication

sharing of local meadow of authentication

Keyring aaa IPSEC-AUTHOR

AAA authorization user psk IPSEC-AUTHOR list

virtual-model 1

!

Crypto ipsec transform-set esp - TFS-AES256-SHA-HMAC-aes 256 esp-sha-hmac

tunnel mode

!

by default the crypto ipsec profile

game of transformation-TFS-AES256-SHA-HMAC

the value of RADU ikev2-profile

answering machine only

!

type of interface virtual-Template1 tunnel

no ip address

source of tunnel GigabitEthernet0/0/3

ipv4 ipsec tunnel mode

tunnel vrf FVRF

tunnel protection ipsec default profile

Definition of RADIUS user name:

CPE. IPSec.net

Tunnel-Password = abcd,

Framed-IP-Address = 172.16.0.254,

Box-IP-Netmask = 255.255.255.254,

Cisco-avpair = "ip:interface - config = vrf forwarding test",

Cisco-avpair = "" ip:interface - config = address ip 172.16.0.255 255.255.255.254 ","

Cisco-avpair = 'ipsec:route - value = interface',

Cisco-avpair = "ipsec:route - value prefix = 32",

Cisco-avpair = "ipsec:route - accept = any"

The tunnel interface is coming on the CPE, the virtual access interface is implemented on the ASR. I could use BGP to Exchange routing between EP and CPE information, but I want to use IKE.

I think the problem is because I don't know how to call a permission policy IKEv2 on PBS (in which I could set up a list of access for the ). But on the CPE, I have the following limitations:

I want to use PSK for authentication, but no RADIUS server is available. So, the only other option for PSK authentication is a Keyring set locally, as there is no way to use a user name defined locally (local authentication) with a set of keys.

So how can I trigger an IKEv2 authorization under the profile of IKEv2 policy?

CPE (config-ikev2-profile) list of psk #aaa user authorization?

The WORD AAA list name

If I set a local aaa authorization list, then all authentication fails:

AAA authorization network default local

Profile of crypto ikev2 IKEV2-PROFILE-CPE

by default the AAA user psk authorization list

* 15:52:27.042 Dec 20 UTC: IKEV2-3-NEG_ABORT %: negotiation failed due to the ERROR: exchange Auth failed

And there is no way to trigger that the authorization policy if I do not set the command above, is not it? I tried to modify the authorization policy by default with access list, but it is not taken into account.

If I use a card with an access-list and IKEv2 encryption, I can get directions crypto on the ASR. But I want to use FlexVPN on the CPE.

Is there a way to do this?

Also the IOS configuration guides are not too useful

Thank you

Radu

. "09:12:42.299 Dec 21 UTC: IKEv2:IKEv2 local AAA asks author ' 87.84.214.31 '.

. "09:12:42.299 Dec 21 UTC: IKEv2:IKEv2 local AAA - political ' 87.84.214.31 ' does not exist.

. 09:12:42.299 Dec 21 UTC: authorization IKEv2:IKEv2 162 error

Not sure how resembles your config, but here it says that it cannot find

ikev2 crypto 87.84.214.31 permission policy

<...>

If it is configured?

IPSEC of AnyConnect-IKEv2 authentication failure

I have configure Anyconnect webvpn using IPsec (IKEv2) to an ASA with version 8.4 (2). When I try to connect with Anyconnect Client mobility, I got an error message (see screenshot) authentication failed. I can't even invite him to put the name of user and password. Since him debugs, I get the following errors:

% ASA-6-302015: built connection UDP incoming 354 for outside:x.x.x.x/52171 (x.x.x.x/52171) at identity:172.16.4.2/500 (172.16.4.2/500)

% 5-ASA-750002: Local: 172.16.4.2:500 Remote:x.x.x.x:52171 Username:Unknown received a request IKE_INIT_SA

% ASA-6-302015: built connection UDP incoming 355 for outside:x.x.x.x/52172 (x.x.x.x/52172) at identity:172.16.4.2/4500 (172.16.4.2/4500)

% ASA-3-751006: failed local authentication: 172.16.4.2:4500 Remote:x.x.x.x:52172 Username:Unknown certificate. Error: Impossible to retrieve the certificate chain

% ASA-4-750003: Local: 172.16.4.2:4500 Remote:x.x.x.x:52172 Username:Unknown negotiation failed due to the ERROR: exchange Auth failed

% ASA-6-302013: built of TCP connections incoming 356 for outside:x.x.x.x/52175 (x.x.x.x/52175) at identity:172.16.4.2/443 (172.16.4.2/443)

% ASA-6-725001: from transfer SSL client outside:x.x.x.x/52175 for TLSv1 session.

% ASA-725010 7: device supports the following 4 cipher (s).

% ASA-7-725011: [1] encryption: RC4 - SHA

% ASA-7-725011: [2] encryption: AES128-SHA

% ASA-7-725011: [3] encryption: AES 256 - SHA

% ASA-7-725011: [4] encryption: DES-CBC3-SHA

% 7-ASA-725008: outside:x.x.x.x/52175 client SSL offers the following 18 cipher (s).

% ASA-7-725011: encryption [1]: DHE-RSA-AES256-SHA

% ASA-7-725011: [2] encryption: DHE-DSS-AES256-SHA

% ASA-7-725011: [3] encryption: AES 256 - SHA

% ASA-7-725011: [4] encryption: EDH-RSA-DES-CBC3-SHA

% ASA-7-725011: [5] encryption: EDH-DSS-DES-CBC3-SHA

% ASA-7-725011: [6] encryption: DES-CBC3-SHA

% ASA-7-725011: [7] encryption: DHE-RSA-AES128-SHA

% ASA-7-725011: [8] encryption: DHE-DSS-AES128-SHA

% ASA-7-725011: [9] encryption: AES128-SHA

% ASA-7-725011: [10] encryption: RC4 - SHA

% ASA-7-725011: [11] encryption: RC4 - MD5

% ASA-7-725011: [12] encryption: EDH-RSA-DES-CBC-SHA

% ASA-7-725011: [13] encryption: EDH-DSS-DES-CBC-SHA

% ASA-7-725011: [14] encryption: DES-CBC-SHA

% ASA-7-725011: encryption [15]: EXP-EDH-RSA-DES-CBC-SHA

% ASA-7-725011: encryption [16]: EXP-EDH-DSS-DES-CBC-SHA

% ASA-7-725011: [17] encryption: EXP-DES-CBC-SHA

% ASA-7-725011: [18] encryption: EXP-RC4-MD5

% ASA-725012 7: device chooses cipher: RC4 - SHA for the SSL session with client outside:x.x.x.x/52175

% ASA-6-725002: aircraft completed the SSL negotiation with customer outside:x.x.x.x/52175

% ASA-6-725007: end of the SSL session with client outside:x.x.x.x/52175.

% ASA-6-302014: disassembly of the TCP connection 356 for outside:x.x.x.x/52175 to identity:172.16.4.2/443 duration 0: 00:00 872 bytes TCP fins

Here is my configuration:

local pool VPNPOOL 172.17.1.1 - 172.17.1.40 255.255.255.0 IP mask

object obj-vpnpool network

172.17.1.0 subnet 255.255.255.0

NAT (inside, outside) static source any any destination static obj-vpnpool obj-vpnpool

standard SPLITUN-ACL access-list allowed 192.168.0.0 255.255.255.0

standard SPLITUN-ACL access-list allowed 10.1.1.0 255.255.255.0

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 5 2 1

FRP sha

second life 86400

Crypto ikev2 activate out of service the customer port 443

Trustpoint crypto ikev2 remote access _SmartCallHome_ServerCA

Crypto ipsec ikev2 ipsec-proposal TS1-IKEV2

Protocol esp 3des, aes to aes-192, aes-256 encryption

Esp integrity sha - 1, md5 Protocol

crypto dynamic-map DYN-map 40 value ikev2 ipsec-proposal TS1-IKEV2

card crypto ASA1VPN 65535 isakmp ipsec dynamic DYN-map

ASA1VPN interface card crypto outside

ISAKMP nat-traversal crypto

WebVPN

AnyConnect image disk0:/anyconnect-linux-3.0.5075-k9.pkg 1

AnyConnect image disk0:/anyconnect-macosx-i386-3.0.5075-k9.pkg 2

AnyConnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 5

AnyConnect profiles Main_IKEv2_client_profile disk0: / Main_IKEv2_client_profile.xml

AnyConnect enable

allow outside

tunnel-group-list activate

internal GroupPolicy_Main_IKEv2 group strategy

attributes of Group Policy GroupPolicy_Main_IKEv2

Ikev2 VPN-tunnel-Protocol

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value SPLITUN-ACL

value of server DNS 192.168.0.245

value of server WINS 192.168.0.245

jiffix.local value by default-field

WebVPN

AnyConnect value Main_IKEv2_client_profile type user profiles

AnyConnect Dungeon-Installer installed

type tunnel-group RemoteAccessIKEv2 remote access

attributes global-tunnel-group RemoteAccessIKEv2

Group Policy - by default-GroupPolicy_Main_IKEv2

address VPNPOOL pool

tunnel-group RemoteAccessIKEv2 webvpn-attributes

enable Main_IKEv2 group-alias

username user password xxxxx

attributes of user username

VPN-group-policy GroupPolicy_Main_IKEv2

management-access inside

SSH 172.17.1.0 255.255.255.0 inside

Main_IKEv2_client_profile. XML

http://schemas.xmlsoap.org/encoding/">

hostname - ASA (IPsec)

y.y.y.y

IPsec

You have the trustpoint with configured '_SmartCallHome_ServerCA' certificate? The partial configuration above don't indicte something little script which is where authentication does not reach your output to the log above.

The output from the output of 'show crypto ca server certificates' would be useful.

IKEv2 AnyConnect and pool allocation via RADIUS

I set up a CSR1000V (03.09.00a. S.153 - 2.) for AnyConnect with IKEv2. I store the user name and the IKEv2 permission policy on the RADIUS server. The customers are placed in their own iVRFs through the broadcast on the NAS RADIUS attributes.

for example, in FreeRadius (2.1.12), what follows is defined (home is the 'group') as [email protected] / * / format.

Home-password in clear text: = "cisco".

Cisco-AVPair += "ip:interface - config = vrf forwarding CUST-A."

Cisco-AVPair += "ip:interface - config = ip unnumbered loopback100."

Box-pool = "CUST-A-POOL '.

[email protected] / * / Password in clear text: = 'test123 '.

The user and group permission information are then merged and cloned on the virtual model:

Crypto ikev2 name-mangler EXCERPT-GROUP

EAP suffix delimiter @.

!

Ikev2 crypto FlexVPN-IKEv2-profile-1 profile

fvrf IPSEC-FVRF game

match the key - remote identity FlexAnyConnect id

identity local dn

authentication eap remote query-identity

authentication local rsa - sig

PKI trustpoint cacert.org

DPD 60 2 on request

AAA authentication eap List1-AuthC-FlexVPN

AAA authorization eap group list mangler-name-FlexVPN-AuthZ-list-1 EXCERPT-GROUP

AAA authorization eap user set caching

virtual-model 1

!

type of interface virtual-Template1 tunnel

no ip address

ipv4 ipsec tunnel mode

VRF tunnel IPSEC-FVRF

Profile of tunnel FlexVPN-IPsec-profile-1 ipsec protection

However, it appears that the attribute RADIUS specifying that the pool is ignored; I can see the attribute RADIUS (IETF 88) broadcast on the NAS in the RADIUS debugs:

* 21:36:39.384 August 16 TSB: RADIUS: box-IP-pool [88] 13 'CUST-A-POOL'

However, cryptography debugs say an IP cannot be attributed:

* 21:36:39.435 August 16 TSB: IKEv2: cannot allocate an IP addr

Contents of payload:

AUTH NOTIFY (INTERNAL_ADDRESS_FAILURE)

If the framed pool is removed and a box-IP-Address instead of the user, the address set is assigned. The CUST-A-POOL is set locally on the NAS server. Is that all that I'm missing? Any debugs more detailed can be generated?

See you soon,.

Matt

Matt,

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCty98153

Send:
```
ipsec:addr-pool or ipsec:ipv6-addr-pool
```
M.

Debug Protocol cryptographic ikev2

I wanted to ask if someone has made a point to VPN Ikev2 with other vendors such as Juniper or Aruba for "Suite B"? Second on a debug where I worked on today, I get the following:

IKEv2-PROTO-1: (3357): receipt of policies:

Proposal 1: MD5 AES-CBC-256 DH_GROUP_768_MODP/Group 1

IKEv2-PROTO-1: (3357): expected policies:

Proposal 1: AES-CBC-256 MD5 MD596 DH_GROUP_768_MODP/Group 1

See how they align with the exception of the MD596, I changed the setting here:

IKEv2 crypto policy 1

aes-256 encryption

the md5 integrity

Group 1

FRP md5

second life 86400

But have not found in the configuration whence the MD596. Any idea? Thank you.

Douglas

Douglas,

You are probably using a version using smart default.

example:
```
GH2_R2#sh run | s crypto ikev2 prop
GH2_R2#sh cry ikev2 propo
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
PRF        : SHA512 SHA384 SHA256 SHA1 MD5
DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
```
I haven't done any interoperability tests myself (not my part of the Woods), but I'd be curious what config you are trying and what are debugs them full.

Edit: Also, the version information.

Cisco ASA 5505 VPN Site to Site

Hi all

First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

I'd appreciate any help that can be directed to this problem please. Slowly losing my mind

Please see details below:

Two ADMS are 7.1

IOS

ASA 1

Nadia

:

ASA Version 9.0 (1)

!

hostname PAYBACK

activate the encrypted password of HSMurh79NVmatjY0

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

2KFQnbNIdI.2KYOU encrypted passwd

names of

local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

link Trunk Description of SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

nameif outside

security-level 0

IP 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

address 192.168.20.1 255.255.255.0

!

Vlan30 interface

nameif printers

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

192.168.40.1 IP address 255.255.255.0

!

connection line banner welcome to the Payback loyalty systems

boot system Disk0: / asa901 - k8.bin

passive FTP mode

summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

domain-lookup DNS servers

DNS lookup domain printers

DNS domain-lookup wireless

DNS server-group DefaultDNS

Server name 83.147.160.2

Server name 83.147.160.130

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

ftp_server network object

network of the Internal_Report_Server object

Home 192.168.20.21

Description address internal automated report server

network of the Report_Server object

Home 89.234.126.9

Description of server automated reports

service object RDP

service destination tcp 3389 eq

Description RDP to the server

network of the Host_QA_Server object

Home 89.234.126.10

Description QA host external address

network of the Internal_Host_QA object

Home 192.168.20.22

host of computer virtual Description for QA

network of the Internal_QA_Web_Server object

Home 192.168.20.23

Description Web Server in the QA environment

network of the Web_Server_QA_VM object

Home 89.234.126.11

Server Web Description in the QA environment

service object SQL_Server

destination eq 1433 tcp service

network of the Demo_Server object

Home 89.234.126.12

Description server set up for the product demo

network of the Internal_Demo_Server object

Home 192.168.20.24

Internal description of the demo server IP address

network of the NETWORK_OBJ_192.168.20.0_24 object

subnet 192.168.20.0 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_26 object

255.255.255.192 subnet 192.168.50.0

network of the NETWORK_OBJ_192.168.0.0_16 object

Subnet 192.168.0.0 255.255.0.0

service object MSSQL

destination eq 1434 tcp service

MSSQL port description

VPN network object

192.168.50.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_24 object

192.168.50.0 subnet 255.255.255.0

service object TS

tcp destination eq 4400 service

service of the TS_Return object

tcp source eq 4400 service

network of the External_QA_3 object

Home 89.234.126.13

network of the Internal_QA_3 object

Home 192.168.20.25

network of the Dev_WebServer object

Home 192.168.20.27

network of the External_Dev_Web object

Home 89.234.126.14

network of the CIX_Subnet object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_84.39.233.50 object

Home 84.39.233.50

network of the NETWORK_OBJ_92.51.193.158 object

Home 92.51.193.158

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

the tcp destination eq ftp service object

the purpose of the tcp destination eq netbios-ssn service

the purpose of the tcp destination eq smtp service

service-object TS

the Payback_Internal object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

service-object TS

service-object, object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object RDP

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

object-group service DM_INLINE_SERVICE_5

purpose purpose of the MSSQL service

service-object RDP

service-object TS

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_6

service-object TS

service-object, object TS_Return

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

Note to outside_access_in to access list that this rule allows Internet the interal server.

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-list of FTP access

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list of SMTP access

Note to outside_access_in to access list Net Bios

Comment from outside_access_in-SQL access list

Comment from outside_access_in-list to access TS - 4400

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

access host access-list outside_access_in note rule internal QA

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

Notice on the outside_access_in of the access-list access to the internal Web server:

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

Note to outside_access_in to access list rule allowing access to the demo server

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list to access MSSQL

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

Note to outside_access_in access to the development Web server access list

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

Enable logging

information recording console

asdm of logging of information

address record

[email protected] / * /.

the journaling recipient

[email protected] / * /.

level alerts

Outside 1500 MTU

Within 1500 MTU

MTU 1500 servers

MTU 1500 printers

MTU 1500 wireless

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (wireless, outdoors) source Dynamics one interface

NAT (servers, outside) no matter what source dynamic interface

NAT (servers, external) static source Internal_Report_Server Report_Server

NAT (servers, external) static source Internal_Host_QA Host_QA_Server

NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

NAT (servers, external) static source Internal_Demo_Server Demo_Server

NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

NAT (servers, external) static source Internal_QA_3 External_QA_3

NAT (servers, external) static source Dev_WebServer External_Dev_Web

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0

dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0 (1)

!

Payback-CIX hostname

activate the encrypted password of HSMurh79NVmatjY0

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Description this port connects to the local network VIRTUAL 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

IP 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

IP 192.168.100.1 address 255.255.255.0

!

banner welcome to Payback loyalty - CIX connection line

passive FTP mode

summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

DNS server-group defaultDNS

Name-Server 8.8.8.8

Server name 8.8.4.4

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the host-CIX-1 object

host 192.168.100.2

Description This is the VM server host machine

network object host-External_CIX-1

Home 84.39.233.51

Description This is the external IP address of the server the server VM host

service object RDP

source between 1-65535 destination eq 3389 tcp service

network of the Payback_Office object

Home 92.51.193.158

service object MSQL

destination eq 1433 tcp service

network of the Development_OLTP object

Home 192.168.100.10

Description for Eiresoft VM

network of the External_Development_OLTP object

Home 84.39.233.52

Description This is the external IP address for the virtual machine for Eiresoft

network of the Eiresoft object

Home 146.66.160.70

Contractor s/n description

network of the External_TMC_Web object

Home 84.39.233.53

Description Public address to the TMC Web server

network of the TMC_Webserver object

Home 192.168.100.19

Internal description address TMC Webserver

network of the External_TMC_OLTP object

Home 84.39.233.54

External targets OLTP IP description

network of the TMC_OLTP object

Home 192.168.100.18

description of the interal target IP address

network of the External_OLTP_Failover object

Home 84.39.233.55

IP failover of the OLTP Public description

network of the OLTP_Failover object

Home 192.168.100.60

Server failover OLTP description

network of the servers object

subnet 192.168.20.0 255.255.255.0

being Wired network

192.168.10.0 subnet 255.255.255.0

the subject wireless network

192.168.40.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the Eiresoft_2nd object

Home 137.117.217.29

Description 2nd Eiresoft IP

network of the Dev_Test_Webserver object

Home 192.168.100.12

Description address internal to the Test Server Web Dev

network of the External_Dev_Test_Webserver object

Home 84.39.233.56

Description This is the PB Dev Test Webserver

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_2

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_3

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_4

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_5

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_6

service-object MSQL

service-object RDP

the Payback_Intrernal object-group network

object-network servers

Wired network-object

wireless network object

object-group service DM_INLINE_SERVICE_7

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_8

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_9

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_10

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_11

service-object RDP

the tcp destination eq ftp service object

outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

Note to access list OLTP Development Office of recovery outside_access_in

outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

Comment from outside_access_in-access Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

Note to outside_access_in access to OLTP for target recovery Office Access list

outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

Note to outside_access_in access from the 2nd IP Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

NAT (inside, outside) static source Development_OLTP External_Development_OLTP

NAT (inside, outside) static source TMC_Webserver External_TMC_Web

NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 92.51.193.156 255.255.255.252 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Hello

There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

Here are a few suggestions on what to change

ASA1

Minimal changes

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

being REMOTE-LAN network

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

Other suggestions

These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

PAT-SOURCE network object-group

source networks internal PAT Description

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

no nat (wireless, outdoors) source Dynamics one interface

no nat (servers, outside) no matter what source dynamic interface

The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

network of the SERVERS object

subnet 192.168.20.0 255.255.255.0

network of the VPN-POOL object

192.168.50.0 subnet 255.255.255.0

NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

ASA2

Minimal changes

the object of the LAN network

255.255.255.0 subnet 192.168.100.0

being REMOTE-LAN network

192.168.10.0 subnet 255.255.255.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM.

Other suggestions

PAT-SOURCE network object-group

object-network 192.168.100.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

Hope this makes any sense and has helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

L2l 1941 to ASA VPN

Hi all

I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

Here's a cry full debugging isakmp:

* 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C

* Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)

* 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500

* 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004

* 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator

* 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500

* 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE

* 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA

* 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.

* 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID

* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t

* Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID

* Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t

* 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

* 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1

* Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange

* Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE

* 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.

* 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE

* 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2

* Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0

* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69

* 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947

* Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload

* 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled

* 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found

* 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...

* 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1

* 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption

* 05:12:05.475 Jun 10: ISAKMP: keylength 256

* 05:12:05.475 Jun 10: ISAKMP: SHA hash

* 05:12:05.475 Jun 10: ISAKMP: group by default 2

* 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth

* 05:12:05.475 Jun 10: ISAKMP: type of life in seconds

* 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800

* 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
. Next payload is 0
* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0

* 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0

* 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800

* 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800

* 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.

* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69

* 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947

* Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment

* Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload

* 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled

* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2

* Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP

* 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.

* 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3

* 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP

* 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4

* Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0

* Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0

* 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104

* Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH

* Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment

* Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
!
* Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment

* 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch

* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20

* 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT

* 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20

* 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer

* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4

* 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact

* 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

* 05:12:05.763 Jun 10: ISAKMP (1003): payload ID

next payload: 8

type: 1

address: 82.117.193.82

Protocol: 17

Port: 500

Length: 12

* 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12

* Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH

* 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5

* 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH

* Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0

* 05:12:05.975 Jun 10: ISAKMP (1003): payload ID

next payload: 8

type: 1

address: 41.223.4.83

Protocol: 17

Port: 0

Length: 12

* Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles

* Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
. Message ID = 0
* 05:12:05.975 Jun 10: ISAKMP: received payload type 17

* 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:

authenticated

* 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83

* 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874

* 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi

* Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE

* 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1

* 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

* 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE

* 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE

* Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
. Message ID = 169965215
* Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3

0, message ID SPI = 169965215, a = 0x3AD3BE6C

* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.

* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

* 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE

* 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE

* Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416

* Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
. Message ID = 1149953416
* 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.

* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)

* 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.

* 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE

* Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE

* 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.

* 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650

* 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

* 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA

* 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)

* 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0

* 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724

* 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.

* 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH

* 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA

* 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

Before that, I had 15.3, same thing.

BGPR1 # running sho

Building configuration...

Current configuration: 5339 bytes

!

! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris

!

version 15.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname BGPR1

!

boot-start-marker

start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin

boot-end-marker

!

!

logging buffered 51200 warnings

!

No aaa new-model

!

!

!

!

!

!

!

!

!

!

!

!

!

!

IP flow-cache timeout active 1

IP cef

No ipv6 cef

!

Authenticated MultiLink bundle-name Panel

!

CTS verbose logging

!

Crypto pki trustpoint TP-self-signed-

enrollment selfsigned

name of the object cn = IOS-Self-signed-certificate-

revocation checking no

rsakeypair TP-self-signed-3992366821

!

!

chain pki crypto TP-self-signed certificates.

certificate self-signed 01

quit smoking

udi pid CISCO1941/K9 sn CF license

!

!

username

username

!

redundancy

!

!

!

No crypto ikev2 does diagnosis error

!

!

!

!

crypto ISAKMP policy 1

BA aes 256

preshared authentication

Group 2

lifetime 28800

isakmp encryption key * address 41.223.4.83

!

!

Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256

tunnel mode

!

!

!

Meridian 10 map ipsec-isakmp crypto

VODACOM VPN description

defined by peer 41.223.4.83

86400 seconds, life of security association set

the transform-set Meridian value

match address 100

!

!

!

!

!

the Embedded-Service-Engine0/0 interface

no ip address

Shutdown

!

interface GigabitEthernet0/0

Description peer na Telekom

IP 79.101.96.6 255.255.255.252

penetration of the IP stream

stream IP output

automatic duplex

automatic speed

No cdp enable

!

interface GigabitEthernet0/1

Description peer na SBB

IP 82.117.193.82 255.255.255.252

penetration of the IP stream

stream IP output

automatic duplex

automatic speed

No cdp enable

Meridian of the crypto map

!

interface FastEthernet0/0/0

no ip address

!

interface FastEthernet0/0/1

no ip address

!
interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

switchport access vlan 103

no ip address

!

interface Vlan1

IP 37.18.184.1 255.255.255.0

penetration of the IP stream

stream IP output

!

interface Vlan103

IP 10.10.10.1 255.255.255.0

!

router bgp 198370

The log-neighbor BGP-changes

37.18.184.0 netmask 255.255.255.0

10.10.10.2 neighbor remote - as 201047

map of route-neighbor T-OUT 10.10.10.2 out

neighbour 79.101.96.5 distance - 8400

neighbor 79.101.96.5 fall-over

neighbor 79.101.96.5 LOCALPREF route map in

79.101.96.5 T-OUT out neighbor-route map

neighbour 82.117.193.81 distance - as 31042

neighbor 82.117.193.81 fall-over

neighbor 82.117.193.81 route LocalOnly outside map

!

IP forward-Protocol ND

!
IP as path access list 10 permit ^ $

IP as path access list 20 permits ^ $ 31042

no ip address of the http server

local IP http authentication

no ip http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

IP flow-export Vlan1 source

peer of IP flow-export version 5 - as

37.18.184.8 IP flow-export destination 2055

!

IP route 37.18.184.0 255.255.255.0 Null0

IP route 104.28.15.63 255.255.255.255 79.101.96.5

IP route 217.26.67.79 255.255.255.255 79.101.96.5

!

!

IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0

!

T-OUT route map permit 10

match 10 way

!

route allowed LOCALPREF 10 map

set local preference 90

!

SBBOnly allowed 10 route map

20 as path game

!

LocalOnly allowed 10 route map

match 10 way

!

!

m3r1d1an RO SNMP-server community

Server SNMP ifindex persist

access-list 100 permit ip host 37.18.184.4 41.217.203.234

access-list 100 permit ip host 37.18.184.169 41.217.203.234

!

control plan

!

!

!

Line con 0

Synchronous recording

local connection

line to 0

line 2

no activation-character

No exec

preferred no transport

transport output pad rlogin lapb - your MOP v120 udptn ssh telnet

StopBits 1

line vty 0 4

privilege level 15

local connection

entry ssh transport

line vty 5 15

privilege level 15

local connection

entry ssh transport

!

Scheduler allocate 20000 1000

!

end

BGPR1 #.

BGPR1 #sho cry isa his

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

For "sho cry ipsec his" I get only a lot of mistakes to send.

For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

Any input appreciated.

Corresponds to the phase 2 double-checking on the SAA, including PFS.
```
crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel
```

do not access my home network via antconnect

I am able to connect through the anyconnect client and get an ip address, but I am not able to access my administration (internal network)

Administration = 10.18.1.120

VPN pool = 172.16.10.0/28

10.17.13.120 outside

This is my config

ASA 1.0000 Version 2
!
!
interface GigabitEthernet0/0
nameif administration
security-level 100
IP 10.18.1.120 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
IP 10.17.13.120 255.255.0.0
!
interface GigabitEthernet0/2
nameif admin-out13
security-level 0
IP 10.13.1.120 255.255.0.0
!
interface GigabitEthernet0/3
nameif VOIP
security-level 0
IP 10.90.100.120 255.255.0.0
!
passive FTP mode
network of the NETWORK_OBJ_172.16.10.0_29 object
subnet 172.16.10.0 255.255.255.248
network of the Admin_Email_Server object
Home 10.18.4.120
e-mail Description admin server
network of the Admin_Srv_Farm object
10.18.4.0 subnet 255.255.255.0
Description subenet where the admin servers are hosted
ICMP-type of object-group ICMP_Group
alternate address ICMP-object
ICMP-object-conversion error
echo ICMP-object
response to echo ICMP-object
ICMP-object information-response
ICMP-object-request for information
ICMP object-mask-reply
Mask-request ICMP-object
ICMP-object mobile-redirect
ICMP-object-parameter problem
redirect ICMP-object
ICMP-object-announcement of router
ICMP-object-solicitation of router
Object-ICMP source-quench
ICMP-object has exceeded the time
ICMP-object-response to timestamp
Timestamp-request ICMP-object
Object-ICMP traceroute
ICMP-unreachable object
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
pager lines 24
Enable logging
asdm of logging of information
management of MTU 1500
administration of MTU 1500
Outside 1500 MTU
Admin-out13 MTU 1500
ip_phones MTU 1500
local pool ADMIN_VPN_POOL 172.16.10.1 - 172.16.10.10 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 66114.bin
don't allow no asdm history
ARP timeout 14400
NAT (administration, outside) static source any any static destination NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 non-proxy-arp-search to itinerary
public static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 destination NAT (outside directors) static source Admin_Srv_Farm Admin_Srv_Farm
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
LOCAL AAA authentication serial console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 10.18.0.0 255.255.0.0 administration
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
name of the object CN = admin-pare-fire
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates

Crypto ikev2 activate out of service the customer port 443
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 10.90.100.1 - 10.90.100.100 ip_phones
dhcpd 4.2.2.2 dns 8.8.8.8 interface ip_phones
dhcpd lease 1800 interface ip_phones
dhcpd field uz.ac.zw interface ip_phones
dhcpd option 3 ip 10.90.1.254 interface ip_phones
ip_phones enable dhcpd
!
!
maximum session 1000 TLS-proxy
!
a basic threat threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
SSL-trust outside ASDM_TrustPoint0 point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect profiles ITADMIN_VPN_client_profile disk0: / ITADMIN_VPN_client_profile.xml
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_ITADMIN_VPN group strategy
attributes of Group Policy GroupPolicy_ITADMIN_VPN
WINS server no
value of 10.18.4.120 DNS server 10.50.7.178
client ssl-VPN-tunnel-Protocol ikev2
uz.AC.ZW value by default-field
WebVPN
AnyConnect value ITADMIN_VPN_client_profile type user profiles
webster nwgth7HVlZ/qiWnP password encrypted username
webster username attributes
type of remote access service
username admin password encrypted xxxxxxxxxxx privilege 15
username user2 encrypted password privilege 15 xxxxxxxxxxx
attributes of user user2 name
type of remote access service
type tunnel-group ITADMIN_VPN remote access
attributes global-tunnel-group ITADMIN_VPN
address ADMIN_VPN_POOL pool
Group Policy - by default-GroupPolicy_ITADMIN_VPN
tunnel-group ITADMIN_VPN webvpn-attributes
enable ITADMIN_VPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
class class by default
Statistical accounting of user
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:c9820a69d5b4fb9e3f7cce253f2450e4

After the addition of administration management-access command, please check if you are able to ping to the administration interface (ip = 10.18.1.120) of the remote user's machine. In addition, run this command on the ASA.

Packet-trace entry administration icmp 8 0 detailed

Once you run this copy please order the output and the share here. Please see links to the ip address of the host, sitting behind the administration interface that you think that the ip address of the internal host should be able to ping from outside. Assigned ip address is the ip address that is assigned to the pool anyconnect client.

Share the details here and we will be able to understand the question.

Thank you

Vishnu

ASA 5505. VPN Site-to-Site does not connect!

Hello!
Already more than a week there, as we had a new channel of communication of MGTSa (Ontario terminal Sercomm RV6688BCM, who barely made in the 'bridge' - had to do the provider in order to receive our white Cisco Ip address), and now I train as well more that one week to raise between our IKEv1 IPsec Site-to-Site VPN tunnel closes offices.
Configurable and use the wizard in ASDM and handles in the CLI, the result of a year, the connection does not rise.
Cisco version 9.2 (2), the image of the Cisco asa922 - k8.bin, Security Plus license version, version 7.2 AMPS (2).
What I'll never know...
Debugging and complete configuration enclose below.
Help, which can follow any responses, please! I was completely exhausted!

Config:

Output of the command: "sh run".

: Saved
:
: Serial: XXXXXXXXXXXX
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (2)
!
hostname door-71
activate the encrypted password of F6OJ0GOws7WHxeql
names of
IP local pool vpnpool 10.1.72.100 - 10.1.72.120 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.72.254 255.255.255.0
!
interface Vlan2
nameif outside_mgts
security-level 0
62.112.100.R1 255.255.255.252 IP address
!
passive FTP mode
clock timezone 3 MSK/MSD
clock to DST MSK/MDD recurring last Sun Mar 02:00 last Sun Oct 03:00
DNS lookup field inside
DNS server-group MGTS
Server name 195.34.31.50
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the NET72 object
10.1.72.0 subnet 255.255.255.0
network object obj - 0.0.0.0
host 0.0.0.0
network of the Nafanya object
Home 10.1.72.5
network object obj - 10.1.72.0
10.1.72.0 subnet 255.255.255.0
network of the NET61 object
10.1.61.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.96_27 object
subnet 10.1.72.96 255.255.255.224
network of the NETT72 object
10.1.72.0 subnet 255.255.255.0
network of the NET30 object
10.1.30.0 subnet 255.255.255.0
network of the NETWORK_OBJ_10.1.72.0_24 object
10.1.72.0 subnet 255.255.255.0
object-group service OG INET
the purpose of the echo icmp message service
response to echo icmp service object
service-object icmp traceroute
service-object unreachable icmp
service-purpose tcp - udp destination eq echo
the DM_INLINE_NETWORK_1 object-group network
network-object NET30
network-object, object NET72
DM_INLINE_TCP_1 tcp service object-group
port-object eq www
EQ object of the https port
inside_access_in extended access list permit ip object NET72 object-group DM_INLINE_NETWORK_1
access extensive list ip 10.1.72.0 inside_access_in allow 255.255.255.0 any
inside_access_in extended access list permit ip object Nafanya any idle state
inside_access_in list extended access allowed object-group OG INET an entire
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access deny ip any alerts on any newspaper
outside_mgts_access_in list extended access allowed object-group OG INET an entire
outside_mgts_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_mgts_access_in list extended access deny ip any alerts on any newspaper
access extensive list ip 10.1.72.0 outside_mgts_cryptomap allow 255.255.255.0 object NET61
VPN-ST_splitTunnelAcl permit 10.1.72.0 access list standard 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
outside_mgts MTU 1500
IP check path reverse interface outside_mgts
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside outside_mgts) static source NET72 NET72 NETWORK_OBJ_10.1.72.96_27 NETWORK_OBJ_10.1.72.96_27 non-proxy-arp-search of route static destination
NAT (inside outside_mgts) static source NETWORK_OBJ_10.1.72.0_24 NETWORK_OBJ_10.1.72.0_24 NET61 NET61 non-proxy-arp-search of route static destination
!
network obj_any object
NAT (inside outside_mgts) dynamic obj - 0.0.0.0
network of the NET72 object
NAT (inside outside_mgts) interface dynamic dns
inside_access_in access to the interface inside group
Access-group outside_mgts_access_in in the outside_mgts interface
Route 0.0.0.0 outside_mgts 0.0.0.0 62.112.100.R 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
without activating the user identity
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 10.1.72.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
card crypto outside_mgts_map 1 match address outside_mgts_cryptomap
card crypto outside_mgts_map 1 set pfs Group1
peer set card crypto outside_mgts_map 1 91.188.180.42
card crypto outside_mgts_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_mgts_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto outside_mgts_map interface outside_mgts
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
Crypto ca trustpoint ASDM_TrustPoint0
registration auto
E-mail [email protected] / * /
name of the object CN = door-71
Serial number
IP address 62.112.100.42
Proxy-loc-transmitter
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
registration auto
ASDM_TrustPoint1 key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_TrustPoint0 certificates
certificate eff26954
30820395 3082027d a0030201 020204ef f2695430 0d06092a 864886f7 0d 010105
019
6460ae26 ec5f301d 0603551d 0e041604 14c9a3f2 d70e6789 38fa4b01 465d 1964
60ae26ec 5f300d06 092 has 8648 01050500 03820101 00448753 7baa5c77 86f70d01
62857b 65 d05dc91e 3edfabc6 7b3771af bbedee14 673ec67d 3d0c2de4 b7a7ac05
5f203a8c 98ab52cf 076401e5 1a2c6cb9 3f7afcba 52c617a5 644ece10 d6e1fd7d
28b57d8c aaf49023 2037527e 9fcfa218 9883191f 60b221bf a561f2be d6882091
0222b7a3 3880d6ac 49328d1f 2e085b15 6d1c1141 5f850e5c b6cb3e67 0e373591
94a 82781 44493217 and 38097952 d 003 5552 5c445f1f 92f04039 a23fba20 b9d51b13
f511f311 d1feb2bb 6d056a15 7e63cc1b 1f134677 8124c 024 3af56b97 51af8253
486844bc b1954abe 8acd7108 5e4212df db835d76 98ffdb2b 8c8ab915 193b 8167
0db3dd54 c8346b96 c4f4eff7 1e7cd576 a8b1f86e 3b868a6e 89
quit smoking
string encryption ca ASDM_TrustPoint1 certificates
certificate a39a2b54
3082025f 30820377 a0030201 020204 has 3 9a2b5430 0d06092a 864886f7 0d 010105
0500304 06035504 03130767 36313137 30120603 55040513 6174652d 3110300e b

c084dcd9 d250e194 abcb3eb8 1da93bd0 fb0dba1a b1c35b43 d547a841 5d4ee1a4
14bdb207 7dd790a4 0cd 70471 5f3a896a 07bd56dc ea01b3dd 254cde88 e1490e97
f3e54c05 551adde0 66aa3782 c85880c2 b162ec29 4e49346a df71062d 6d6d8f49
62b9de93 ba07b4f7 a50e77e1 8f54b32b 6627cb27 e982b36f a 362973, 0 88de3272
9bd6d4d2 8ca1e11f 214f20a9 78bdea95 78fdc45c d6d45674 6acb9bcb d0bd930e
638eedfe cd559ab1 e1205c48 3ee9616f e631db55 e82b623c 434ffdc1 11020301
0001 has 363 3061300f 0603551d 130101ff 0101ff30 04053003 0e060355 1d0f0101
ff040403 1f060355 02018630 230418 30168014 0cea70bf 0d0e0c4b eb34a0b1 1 d
8242 has 549 0603 551d0e04 1604140c ea70bf0d 0e0c4beb 34a0b182 301D 5183ccf9
42a 54951 010105 05000382 0101004e 7bfe054a 0d 864886f7 0d06092a 83ccf930
d434a27c 1d3dce15 529bdc5f 70a2dff1 98975de9 2a97333b 96077966 05a8e9ef
bf320cbd ecec3819 ade20a86 9aeb5bde bd129c7b 29341e4b edf91473 f2bf235d
9aaeae21 a629ccc6 3c79200b b9a89b08 bf38afb6 ea56b957 4430f692 a 4745, 411
34d71fad 588e4e18 2b2d97af b2aae6b9 b6a22350 d031615b 49ea9b9f 2fdd82e6
ebd4dccd df93c17e deceb796 f268abf1 881409b 5 89183841 f484f0e7 bd5f7b69
ebf7481c faf69d3e 9d24df6e 9c2b0791 785019f7 a0d20e95 2ef35799 66ffc819
4a77cdf2 c6fb4380 fe94c13c d4261655 7bf3d6ba 6289dc8b f9aad4e1 bd918fb7
32916fe1 477666ab c2a3d591 a84dd435 51711f6e 93e2bd84 89884c
quit smoking
crypto isakmp identity address
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 activate outside_mgts port 443 customer service
Crypto ikev2 access remote trustpoint ASDM_TrustPoint0
Crypto ikev1 allow inside
Crypto ikev1 enable outside_mgts
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
without ssh stricthostkeycheck
SSH 10.1.72.0 255.255.255.0 inside
SSH timeout 60
SSH group dh-Group1-sha1 key exchange
Console timeout 0
vpnclient Server 91.188.180.X
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
VPN - L2L vpnclient vpngroup password *.
vpnclient username aradetskayaL password *.
dhcpd auto_config outside_mgts
!
dhcpd update dns replace all two interface inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL-trust ASDM_TrustPoint0 inside point
SSL-trust ASDM_TrustPoint0 outside_mgts point
WebVPN
Select outside_mgts
internal GroupPolicy_91.188.180.X group strategy
attributes of Group Policy GroupPolicy_91.188.180.X
Ikev1 VPN-tunnel-Protocol
internal group VPN - ST strategy
attributes of group VPN - ST policy
value of 195.34.31.50 DNS Server 8.8.8.8
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-ST_splitTunnelAcl
by default no
aradetskayaL encrypted HR3qeva85hzXT6KK privilege 15 password username
tunnel-group 91.188.180.X type ipsec-l2l
attributes global-tunnel-group 91.188.180.X
Group - default policy - GroupPolicy_91.188.180.42
IPSec-attributes tunnel-group 91.188.180.X
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
remote access to tunnel-group VPN - ST type
VPN-general ST-attributes tunnel-group
address vpnpool pool
Group Policy - by default-VPN-ST
tunnel-group ipsec VPN ST-attributes
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:212e4f5035793d1c219fed57751983d8
: end

door-71 # sh crypto ikev1 his

There are no SAs IKEv1

door-71 # sh crypto ikev2 his

There are no SAs IKEv2

door-71 # sh crypto ipsec his

There is no ipsec security associations

door-71 # sh crypto isakmp

There are no SAs IKEv1

There are no SAs IKEv2

Global statistics IKEv1
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Notifys: 0
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 0
Package: 0
Fall packages: 0
NOTIFYs out: 0

Exchanges of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 0
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0

IKEV1 statistics for Admission appeals
In negotiating SAs Max: 25
In negotiating SAs: 0
In negotiating SAs Highwater: 0
In negotiating SAs rejected: 0

Global statistics IKEv2
The active Tunnels: 0
Previous Tunnels: 0
In bytes: 0
In the packages: 0
In packs of fall: 0
In Fragments of fall: 0
In Notifys: 0
In Exchange for the P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
In IPSEC delete: 0
In delete IKE: 0
Bytes: 0
Package: 0
Fall packages: 0
Fragments of fall: 0
NOTIFYs out: 0
Exchange of P2: 0
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
On IPSEC delete: 0
The IKE Delete: 0
Locally launched sAs: 0
Locally launched sAs failed: 0
SAs remotely initiated: 0
SAs remotely initiated failed: 0
System capacity: 0
Authentication failures: 0
Decrypt failures: 0
Hash failures: 0
Invalid SPI: 0
In the Configs: 0
Configs: 0
In the Configs rejects: 0
Configs rejects: 0
Previous Tunnels: 0
Previous Tunnels wraps: 0
In the DPD Messages: 0
The DPD Messages: 0
The NAT KeepAlive: 0
IKE recomposition launched locally: 0
IKE returned to the remote initiated key: 0
Generate a new key CHILD initiated locally: 0
CHILD given to the remote initiated key: 0

IKEV2 statistics for Admission appeals
Max active SAs: no limit
Max in negotiating SAs: 50
Challenge cookie line: never
Active sAs: 0
In negotiating SAs: 0
Incoming requests: 0
Accepted incoming requests: 0
A rejected incoming requests: 0
Out of requests: 0
Out of the applications accepted: 0
The outgoing rejected requests: 0
A rejected queries: 0
Rejected at the SA: 0 Max limit
Rejected low resources: 0
Rejected the current reboot: 0
Challenges of cookie: 0
Cookies transmitted challenges: 0
Challenges of cookie failed: 0

IKEv1 global IPSec over TCP statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Incoming packets: 0
Inbound packets ignored: 0
Outgoing packets: 0
Outbound packets ignored: 0
The RST packets: 0
Heartbeat Recevied ACK packets: 0
Bad headers: 0
Bad trailers: 0
Chess timer: 0
Checksum errors: 0
Internal error: 0

door-71 # sh statistical protocol all cryptographic
[Statistics IKEv1]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics IKEv2]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[IPsec statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0

ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[SSL statistics]
Encrypt packets of queries: 19331
Encapsulate packets of queries: 19331
Decrypt packets of queries: 437
Package requests decapsulating: 437
HMAC calculation queries: 19768
ITS creation queries: 178
SA asked to generate a new key: 0
Requests to remove SA: 176
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistical SSH are not taken in charge]
[Statistics SRTP]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 0
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of random generation queries: 0
Failed requests: 0
[Statistics]
Encrypt packets of requests: 0
Encapsulate packets of requests: 0
Decrypt packets of requests: 0
Decapsulating requests for package: 0
HMAC calculation queries: 6238
ITS creation queries: 0
SA asked to generate a new key: 0
Deletion requests: 0
Next phase of allocation key applications: 0
Number of queries random generation: 76
Failure of queries: 9
door-71 # sh crypto ca trustpoints

Trustpoint ASDM_TrustPoint0:
Configured for the production of a self-signed certificate.

Trustpoint ASDM_TrustPoint1:
Configured for the production of a self-signed certificate.

If you need something more, then spread!
Please explain why it is that I don't want to work?

Hello

When the IPSEC tunnel does not come to the top, the first thing comes to my mind is to run a tracer of package from the CLI and the phases in it. Please run this command from your firewall side and share the output. I've just compiled this command with the random ip address and ports of your given range.

Packet-trace entry inside tcp 10.1.72.2 1233 10.1.61.2 443 detailed

Best regards

Amandine

Site to site VPN connectivity

Just set up VPN site-to site for ASA 5515 x and 5505. The tunnel is in place, but could not ping to the other site 5505 and vice versa. This is the condition of the tunnel and ASA configs. Any help or comment is appreciated. Thank you!

ASA5515X # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X

permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 175.141.X.X

#pkts program: 1595, #pkts encrypt: 1595, #pkts digest: 1595

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 1595, #pkts comp failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500

Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500

PMTU time remaining: 0, political of DF: copy / df

Validation of ICMP error: disabled, TFC packets: disabled

current outbound SPI: FC699E19

current inbound SPI: FFFCF744

SAS of the esp on arrival:

SPI: 0xFFFCF744 (4294768452)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 462848, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3915000/22042)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

outgoing esp sas:

SPI: 0xFC699E19 (4234780185)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 462848, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3914825/22042)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5515X

ASA Version 9.1 (1)

!

hostname ASA5515X

!

interface GigabitEthernet0/0

Description TIMEFibre

nameif outside

security-level 0

Group Navision PPPoE client vpdn

IP address pppoe setroute

!

interface GigabitEthernet0/1

Description internal LAN

nameif inside

security-level 100

the IP 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/4

Shutdown

No nameif

no level of security

no ip address

!

interface GigabitEthernet0/5

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

management only

nameif management

security-level 100

the IP 10.0.0.1 255.255.255.0

!

passive FTP mode

DNS lookup field inside

DNS server-group DefaultDNS

Name-Server 8.8.8.8

192.168.0.10 server name

network of the SVR001 object

host 192.168.0.13

Hyper-V server description

network of the SVR002 object

host 192.168.0.12

Server SQL Description

network of the SVR003 object

host 192.168.0.10

Domain controller description

network of the SVR004 object

host 192.168.0.11

Server Terminal server Description

network of the local object

192.168.0.0 subnet 255.255.255.0

MFW description

object remote-A network

subnet 192.168.1.0 255.255.255.0

FWSG description

the network remote-B object

Subnet 192.168.2.0 255.255.255.0

FWWW description

network remote-C object

subnet 192.168.3.0 255.255.255.0

Description FWFM

network remote-D object

subnet 192.168.4.0 255.255.255.0

Description PGRHF

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

outside_cryptomap_10 list extended access permitted ip object local object at distance-B

inside_access_in list extended access allow TCPUDP of object-group a

inside_access_in list extended access allowed icmp any4 no echo

outside_access_in list extended access allow TCPUDP of object-group a

inside_authentication list extended access permit tcp any any eq ssh

pager lines 24

Enable logging

timestamp of the record

debug logging in buffered memory

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source destination local local static static remote-A distance-A non-proxy-arp-search of route inactive

NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary

!

network of the SVR001 object

NAT (all, outside) interface static service tcp 3389 50013

network of the SVR002 object

NAT (all, outside) interface static service tcp 3389 50012

network of the SVR003 object

NAT (all, outside) interface static service tcp 3389 50010

network of the SVR004 object

NAT (all, outside) interface static service tcp 3389 50011

!

NAT source auto after (indoor, outdoor) dynamic one interface

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 211.24.199.129 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

AAA authentication match inside_authentication indoor

LOCAL AAA authorization command

Enable http server

http 10.0.0.0 255.255.255.0 management

inside http authentication certificate

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 proposal ipsec 3DES

Esp 3des encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES

Esp aes encryption protocol

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 ipsec-proposal AES192

Protocol esp encryption aes-192

Esp integrity sha - 1, md5 Protocol

Crypto ipsec ikev2 AES256 ipsec-proposal

Protocol esp encryption aes-256

Esp integrity sha - 1, md5 Protocol

Crypto ipsec pmtu aging infinite - the security association

card crypto outside_map 10 correspondence address outside_cryptomap_10

card crypto outside_map pfs set 10 Group1

crypto outside_map 10 peer 175.141.X.X card game

card crypto outside_map 10 set transform-set ESP-3DES-SHA ikev1

outside_map interface card crypto outside

trustpool crypto ca policy

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 10

aes-192 encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 20

aes encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 30

3des encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

IKEv2 crypto policy 40

the Encryption

integrity sha

Group 2 of 5

FRP sha

second life 86400

Crypto ikev2 allow outside

Crypto ikev1 allow outside

IKEv1 crypto policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 20

authentication rsa - sig

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 40

authentication crack

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 50

authentication rsa - sig

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 60

preshared authentication

aes-192 encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 70

authentication crack

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 80

authentication rsa - sig

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 90

preshared authentication

aes encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 100

authentication crack

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 110

authentication rsa - sig

3des encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 130

authentication crack

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 140

authentication rsa - sig

the Encryption

sha hash

Group 2

life 86400

IKEv1 crypto policy 150

preshared authentication

the Encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 outdoors

SSH 0.0.0.0 0.0.0.0 inside

SSH timeout 5

SSH version 2

Console timeout 0

VPDN group navision request dialout pppoe

VPDN group navision localname [email protected] / * /

VPDN group navision ppp authentication pap

VPDN username [email protected] / * / password * local store

dhcpd address 192.168.0.100 - 192.168.0.200 inside

dhcpd 192.168.0.10 dns 8.8.8.8 interface inside

interface of victories 192.168.0.10 dhcpd inside

dhcpd allow inside

!

management of 10.0.0.100 - dhcpd addresses 10.0.0.110

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

tunnel-group 175.141.X.X type ipsec-l2l

IPSec-attributes tunnel-group 175.141.X.X

IKEv1 pre-shared-key *.

!

ICMP-class class-map

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map icmp_policy

icmp category

inspect the icmp

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

service-policy icmp_policy to the inside interface

context of prompt hostname

(Behind a router)

ASA5505 # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 1, local addr: 172.16.10.200

outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

current_peer: 211.24.X.X

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 1539, #pkts decrypt: 1539, #pkts check: 1539

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 172.16.10.200/4500, remote Start crypto. : 211.24.X.X/4500

Path mtu 1500, fresh ipsec generals 66, media, mtu 1500

current outbound SPI: FFFCF744

current inbound SPI: FC699E19

SAS of the esp on arrival:

SPI: 0xFC699E19 (4234780185)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}

slot: 0, id_conn: 348160, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4373831/22284)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0xFFFCF744 (4294768452)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}

slot: 0, id_conn: 348160, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4374000/22284)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5505

ASA Version 8.2 (5)

!

ASA5505 hostname

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 172.16.10.200 255.255.255.0

!

interface Vlan3

no interface before Vlan2

nameif management

security-level 0

the IP 10.0.0.1 255.255.255.0

management only

!

passive FTP mode

outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 172.16.10.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA authentication enable LOCAL console

AAA authentication http LOCAL console

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.2.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs Group1

outside_map game 1 card crypto peer 211.24.X.X

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 192.168.2.0 255.255.255.0 inside

SSH 0.0.0.0 0.0.0.0 outdoors

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 192.168.2.100 - 192.168.2.130 inside

dhcpd 192.168.2.1 dns 8.8.8.8 interface inside

dhcpd allow inside

!

management of 10.0.0.100 - dhcpd addresses 10.0.0.110

enable dhcpd management

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

tunnel-group 211.24.X.X type ipsec-l2l

IPSec-attributes tunnel-group 211.24.X.X

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Update:

Traffic to the other end is abandoned by the implicit rule, but there is already an access list configured No.?

ASA5515X # sh crypto ipsec his

Interface: outside

Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X

permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0

local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)

Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

current_peer: 175.141.X.X

#pkts program: 30188, #pkts encrypt: 30188, #pkts digest: 30188

#pkts decaps: 25550, #pkts decrypt: 25550, #pkts check: 25550

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 30188, model of #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500

Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500

PMTU time remaining: 0, political of DF: copy / df

Validation of ICMP error: disabled, TFC packets: disabled

current outbound SPI: 7D03CD30

current inbound SPI: B2B16E15

SAS of the esp on arrival:

SPI: 0xB2B16E15 (2997972501)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 516096, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4371272/24996)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0x7D03CD30 (2097401136)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}

slot: 0, id_conn: 516096, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (4367450/24996)

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

ASA5515X # entry packet - trace within the icmp 192.168.0.1 0 8 detailed 192.168.2.1

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x7fff2a320c70, priority = 1, domain = allowed, deny = false

hits = 3417800, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

input_ifc = output_ifc = any to inside,

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 0.0.0.0 0.0.0.0 outdoors

Phase: 3

Type: UN - NAT

Subtype: static

Result: ALLOW

Config:

NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary

Additional information:

NAT divert on exit to the outside interface

Untranslate 192.168.2.1/0 to 192.168.2.1/0

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DECLINE

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x7fff2a2b5580, priority = 500, area = allowed, deny = true

hits = 6, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=192.168.0.1 SRC, mask = 255.255.255.255, port = 0, = 0 tag

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = dscp 0 = 0 x 0

input_ifc = output_ifc = any to inside,

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: drop

Drop-reason: flow (acl-drop) is denied by the configured rule

Hello

I noticed that you are using the wrong format of the command "packet - trace" actually

entry Packet-trace within the icmp 8 0

And with regard to the external ACL ASA5505. But there is not a need that by default the ASA allows all incoming traffic from the VPN to bypass the ACL interface. I don't see the configuration with the command would change this default behavior.

You can issue the "package Tracker" with the right Type / Code above. You had the wrong way around the original order.

Could you also test the traffic between the real hosts and not the ASAs. Although the traffic between a host and the remote ASA 'inside' IP address should also work.

Regarding the above, it seems that you also changed the rules of default control on the unit of ASA5515-X, since it is not fastened on a global scale, but "inside" interface. Not sure if it has an effect, but I usually do not need to change the default value.

-Jouni

order of crypto ikev2

Similar Questions

Maybe you are looking for