Problem VPN site-to-site
Hi people,
My company wishes to set up a VPN between our situation in Sarajevo and Mostar. We have a Cisco 871w in Sarajevo, it is in production, and the other will also be a router Cisco in Mostar.
I'm not much configuration of Cisco routers so it was better for me to test the scenario in Packet Tracer, but it simply does not work.
I added the tracer package file (see attachment), so it would be great if someone could take a look and tell me where is the problem.
I'm not sure if the Cisco 871w supports this type of VPN or should I buy another router VPN?
Thanks in advance,
Damir
Thank you...
The problem is the NAT statement that you configured is not exempt crypto traffic. He gets PATed to the IP address that you configure on the NAT pool, and it does not match the ACL (ACL 101) crypto more, so this isn't the start of the VPN tunnel.
Here's what you need to set up:
Router Sarajevo:
access-list 120 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 any
no ip inside the pool overld nat overload source list 7
IP nat inside source list pool 120 overld overload
Router Mostar:
access-list 120 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 120 allow ip 192.168.20.0 0.0.0.255 any
no ip inside the pool overld nat overload source list 7
IP nat inside source list pool 120 overld overload
I hope this helps.
Tags: Cisco Security
Similar Questions
-
Problem VPN site to Site with overlapping networks
We currently have a PIX 515E firewall as a headboard with many tunnels of site-to-site configured for her with the enpoints of PIX 506. Our internal LAN addressing scheme is 172.18.0.0 255.255.0.0. Addresses of local network in two of the remote networks with congigured VPN site-to-site are 172.18.107.0 255.255.255.224 and 172.18.107.32 255.255.255.0. Remote network access to all services on our internal network very well. We have 20 other network segments configured the same way. The 172.18.107.32.0 network needs to communicate with the 172.18.107.0 network for the services of file on the other remote PIX. Since the station PIX will not allow traffic to leave the same interface it came we thought with him we would just set up a tunnel from site to site between the two remote LAN. After the configuration of the site to another remote firewalls do not appear to try to establish tunnels when sending valuable traffic. I turned on debug for ISAKMP and nothing is either sent or received on a remote Firewall with regard to these tunnels. It's almost like since we already have a tunnel set to our 172.18.0.0 internal LAN that the remote PIX will not build specifically to 172.18.107.0 tunnel. I am able to ping each remote peer with each other and hear protection rules, but nothing has ever been established.
Is what we are trying to do possible? Sorry for the long post but the kind of a strange scenario. Thanks in advance for any help.
In what order are the numbers of seqence card crypto for configuring vpn on pix distance units? It could be that you are trying to install is a lot and will be checked later as head of pix. If this is the case, then yes the 172.18/16 road prevail the 172.18.107/24. Try to rebuild the entrance card crypto with a lower number so that traffic to 172.18.107/24 comes first.
I would like to know how it works.
-
Problem with VPN Site-to-Site between RV215W and ASA5510
The RV215W is intended to connect a new branch via 3G, but fail.
But when connected to the internet via a cable modem VPN works.
I have set up with the FULL domain name and remote ip address.
Please help me soon as soon as you can.
Thaks a lot.
Henriux2412.
Dear Henry;
Thank you to the small community of Support Business.
I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.
Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support
https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport
Do not hesitate to contact me if there is anything I can help you with in the meantime.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
-
Problem on site to site and between router vpn client series 2,800
Hello
I need a little help.
I have 2 office of connection with a site to site vpn
Each site has a dry - k9 router 800 series.
Each router has actually client ipsec vpn active and all users can connect by using the client vpn with no problems.
I added the lines for the vpn site to another, but the tunnel is still down.
Here the sh run and sh encryption session 2 routers:
OFFICE A
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
OFFICE-A-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 220561722
revocation checking no
rsakeypair TP-self-signed-220561722
!
!
TP-self-signed-220561722 crypto pki certificate chain
certificate self-signed 01
quit smoking
!
!
!
!!
!
dhcp WIRED IP pool
Network 10.0.0.0 255.255.255.0
router by default - 10.0.0.254
Server DNS 10.0.0.100
!
!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa ssh key pair name
property intellectual ssh version 2
property intellectual ssh pubkey-string
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
OFFICE-B-IP address ISAKMP crypto key XXXXX
!
ISAKMP crypto client configuration group remoteusers
key XXXX
DNS 10.0.0.100
WINS 10.0.0.100
domain.ofc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
defined OFFICE-B-IP peer
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
INTERNAL description
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
Shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan10
IP 10.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name of user password xxx xxx 0
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.1 10.16.20.200
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
Note access-list 101 * ACL SHEEP *.
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endOFFICE B
OFFICE-B-DG host name
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login xauthlist local
AAA authorization exec default local
AAA authorization exec vty group xauthlocal
AAA authorization exec defaultlocal group bdbusers
AAA authorization groupauthor LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1514396900
revocation checking no
rsakeypair TP-self-signed-1514396900
!
!
TP-self-signed-1514396900 crypto pki certificate chain
certificate self-signed 01
quit smoking!
!
8.8.8.8 IP name-server
no ip cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa SSH key pair name
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
md5 hash
preshared authentication
encryption XXXX isakmp key address IP-OFFICE-A!
ISAKMP crypto client configuration group remoteusers
key xxxx
DNS 192.168.1.10
WINS 192.168.1.10
rete.loc field
pool ippool
ACL 101
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac xauathtransform
tunnel mode
Crypto ipsec transform-set esp - esp-md5-hmac rtpset
tunnel mode
!
!
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Crypto-map dynamic dynmap 20
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userathen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
20 ipsec-isakmp crypto map clientmap
peer IP-OFFICE-A value
Set transform-set RIGHT
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Ethernet0
no ip address
Shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
Shutdown
!
Vlan30 interface
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Authentication callin PPP chap Protocol
PPP pap sent-name to user
clientmap card crypto
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
!
IP local pool ippool 10.16.20.201 10.16.20.250
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 interface Dialer0 overload list
overload of IP nat inside source list 101 interface Dialer0
IP nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static tcp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
IP nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
IP nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
IP nat inside source static udp 192.168.1.100 5063 5063 Dialer0 interface
IP nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
IP nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
IP nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
IP route 0.0.0.0 0.0.0.0 Dialer0
!
!
sheep allowed 10 route map
corresponds to the IP 150 101
!
access-list 22 allow 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
ACCESS-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 0 0
password Password02
preferred transport ssh
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endThanks in advance for any help :)
the site at the other tunnel is mounted, but it does not pass traffic; What is the source and destination ip on the router that you are trying to ping the address
whenever you try to open the traffic from router A to router B, you must to the source of the traffic.
for ex,.
Router A-->10.1.1.1--fa0/0
Router B - 172.168.1.100
source of ping 172.168.1.100 router # 10.1.1.1
After doing the pings, send the output of the show counterpart of its crypto ipsec
at both ends -
IPsec VPN site to site between router problem Cisco ASA. Help, please
Hello community,
I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)
Attachment is router configuration and ASA. I also include the router debug output.
It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.
Please help me. Any help appreciated.
Thank you
I didn't look any further, but this may be a reason:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
The dynamic CM must always be the last sequence in a card encryption:
no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
Try this first, then we can look further.
-
VPN site to Site, Phase2, ISAKMP problem
Hi all
I have a problem to Setup vpn site to site on two Cisco1841 ((C1841-ADVSECURITYK9-M) 12.4 routers (3i)) Version.
I have seen several discussions with similar problems, but no help, and I couldn't find any problem solved also.
Please see two attached documents, the first one with samples of itineraries config the remote and and the second with the debug output.
I rechecked the configs on both routers, and it seems that both are very good.
The strange is that tunnel comes up all the time, but I have only 50% by the pings of the networks the. Pings from the local and remote peers goes with 100%.
Please see the errors on the document of debugging.
Second thing, please pay attention to the subnet mask of the local interface of the local router (255.255.255.224). Maybe it's the root of a problem, it is not in line with the access list that is with wildcard 0.0.0.255?
I think it's the only thing that I forgot to check today.
Maybe it's a bug of ios or something?
I appreciate any help to solve this problem.
Thank you in advance,
If your network is 255.255.255.224 255.255.255.224 should be in the ACL to change this in two ACLs of the interesting traffic.
Check this
* 6 sep 12:59:15.362: IPSEC (validate_transform_proposal): No IPSEC cryptomap is to address local y.y.y.y (local peer)
* 6 sep 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal
* 6 sep 12:59:15.366: ISAKMP:(0:36:SW:1): politics of ITS phase 2 is not acceptable! (local y.y.y.y (local peer) remote control (remote peer) x.x.x.x)
This isn't a question about the phase I, but with the phase 2. The ACL must be changed
LOCAL
access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255
REMOTE
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31
Change that firs and then disable the SA and try again. I'm not sure why you receive only 50% of responses from the remote site
-
Problem VPN ASA 5505 8.3 (1) a site
Hello
My problem is with VPN site-to-site. It's between ASA5505 8.3 (1) and Pix 501 6.3 (5). The tunnel is created between them and it's good, here you have the results to see the crypto ipsec's and isakmp his
ciscoasa # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: 91.X.X.57
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
ciscoasa # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.X.X.57
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 3757, #pkts decrypt: 3757, #pkts check: 3757
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 79.X.X.2/0, remote Start crypto. : 91.X.X.57/0
Path mtu 1500, fresh ipsec generals 74, media, mtu 1500
current outbound SPI: F1C2FD46
current inbound SPI: 1BCF8C49
SAS of the esp on arrival:
SPI: 0x1BCF8C49 (466586697)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373665/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xF1C2FD46 (4056087878)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 376832, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/20348)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
But the problem is, as you can see in a show crypto ipsec sa, there is now traffic to a remote network of ASA
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
I have a single device on the remote network sends data to a sysloger on the local network and it works fine, all received messages but not other way to traffic.
To make sure that I go see the Nat and packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80 and looks like SHEEP works very well and traffic is allowed, but still once anything gets into the tunnel of local network
Results
ciscoasa # sh nat
Manual NAT policies (Section 1)
1 (one) to (all) source static sheep sheep sheep destination static sheep
translate_hits = 0, untranslate_hits = 38770
2 (inside) for the service public static obj - the source (on the outside) TCP1433 TCP1433 79.X.X.5 192.168.10.7
translate_hits = 0, untranslate_hits = 95
3 (inside) to the source (external) static obj - 192.168.10.7 interface service zzz zzz
translate_hits = 0, untranslate_hits = 19
4 (inside) of the (whole) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 17, untranslate_hits = 0
5 (inside) of the (whole) source static obj - obj - static 192.168.10.0 192.168.10.0 obj - obj-destination 10.1.1.1 10.1.1.1
translate_hits = 134, untranslate_hits = 0
6 (inside) to the (whole) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
translate_hits = 0, untranslate_hits = 0
7 (inside) of the (whole) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
translate_hits = 172, untranslate_hits = 53
Auto NAT policies (Section 2)
1 (inside) (outside) source static obj - 192.168.10.3 service TCP 3389 3389 79.X.X.5
translate_hits = 12, untranslate_hits = 4823
2 (inside) (outside) source static obj - 192.168.10.5 79.X.X.3 DNS
translate_hits = 341869, untranslate_hits = 41531
3 (inside) (outside) source static obj - 192.168.10.3 - 01 79.X.X.5 service TCP 444 444
translate_hits = 0, untranslate_hits = 0
4 (inside) to the source (external) static obj - 192.168.10.7 tcp 3389 3389 service interface
translate_hits = 21, untranslate_hits = 751
5 (inside) (outside) source static obj - 192.168.10.7 - 02 interface tcp 8080 https service
translate_hits = 0, untranslate_hits = 100
6 (inside) (outside) source static obj - 192.168.10.11 79.X.X.5 TCP smtp smtp service
translate_hits = 2, untranslate_hits = 18838
7 (inside) (outside) source static obj - 192.168.10.11 - 01 udp 443 443 service 79.X.X.5
translate_hits = 0, untranslate_hits = 0
8 (inside) (outside) source static obj - 192.168.10.11 - 02 79.X.X.5 tcp https https service
translate_hits = 221, untranslate_hits = 9770
9 (inside) (outside) source static obj - 192.168.10.11 - 03 79.X.X.5 tcp https https service
translate_hits = 0, untranslate_hits = 0
10 (inside) (outside) source static obj - 192.168.10.15 79.X.X.5 service tcp www 81
translate_hits = 0, untranslate_hits = 34
11 (inside) (outside) source static obj - 192.168.10.26 79.X.X.5 service TCP 8080 8080
translate_hits = 9, untranslate_hits = 4407
12 (inside) (outside) source static obj - 192.168.10.26 - 01 79.X.X.5 tcp 8080 www service
translate_hits = 0, untranslate_hits = 578
13 (inside) (outside) source static obj - 192.168.10.220 79.X.X.6 service TCP 3389 3389
translate_hits = 0, untranslate_hits = 41
14 (inside) (outside) source static obj - 192.168.10.220 - 1 79.X.X.6 tcp https https service
translate_hits = 0, untranslate_hits = 3
15 (inside) to the obj_any interface dynamic source (external)
translate_hits = 410005, untranslate_hits = 144489
16 (invited) to dynamic interface of the source (outside) obj_any-01
translate_hits = 19712, untranslate_hits = 4490
ciscoasa # packet - trace entry inside tcp 192.168.10.7 1024 192.168.11.250 80
Phase: 1
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.11.250/80 to 192.168.11.250/80
Phase: 2
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group inside_out in interface inside
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Additional information:
Direct flow from returns search rule:
ID = 0xd9886ae8, priority = 13, area = allowed, deny = false
hits = 18503, user_data = 0xd6581290, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd80c87c8, priority = 0, sector = inspect-ip-options, deny = true
hits = 1047092, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd9859830, priority = 6, area = nat, deny = false
hits = 2107, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd8114d98, priority = 0, domain = host-limit, deny = false
hits = 674350, user_data = 0 x 0, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xd83a9960, priority = 70, domain = encrypt, deny = false
hits = 26732, user_data = 0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 7
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (any, any) source static sheep sheep sheep destination static sheep
Additional information:
Direct flow from returns search rule:
ID = 0xd98d1d70, priority = 6, area = nat-reversed, deny = false
hits = 1419, user_data = 0xd83a9b48, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd9bda388, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 486, user_data is 0x13492cc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.11.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.10.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xd8192ab0, priority = 0, sector = inspect-ip-options, deny = true
hits = 1169899, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Phase: 10
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1293619 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Information for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
It is a complete config for ASA
VPN
Network local 192.168.10.0/24
remote network 192.168.11.0/24
Config
:
ASA Version 8.3 (1)
!
ciscoasa hostname
domain.com domain name
activate the password * encrypted
passwd * encrypted
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 79.X.X.2 255.255.255.248
!
interface Vlan12
prior to interface Vlan1
nameif comments
security-level 80
192.168.4.1 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
boot system Disk0: / asa831 - k8.bin
passive FTP mode
clock timezone GMT/UTC 0
summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 192.168.10.11
domain.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network object obj - 192.168.0.0
Subnet 192.168.0.0 255.255.0.0
network object obj - 192.168.2.0
Subnet 192.168.2.0 255.255.255.128
network object obj - 10.0.0.0
subnet 10.0.0.0 255.0.0.0
network object obj - 192.168.10.2
host 192.168.10.2
network object obj - 192.168.10.2 - 01
host 192.168.10.2
network object obj - 192.168.10.3
host 192.168.10.3
network object obj - 192.168.10.2 - 02
host 192.168.10.2
network object obj - 192.168.10.2 - 03
host 192.168.10.2
network object obj - 192.168.10.3 - 01
Home 192.168.10.7
network object obj - 192.168.10.5
host 192.168.10.5
newserver network object
Home 192.168.10.7
New SQL Server description
network object obj - 192.168.10.7
Home 192.168.10.7
network of the A_79.X.X.6 object
Home 79.X.X.6
network of the PublicServer_NAT1 object
Home 192.168.10.7
zzz service object
service source eq 1 65535 udp syslog destination range
Syslog description
purpose of the 79.X.X.5 network
Home 79.X.X.5
service of the TCP1433 object
destination service tcp source eq 1433 1 65535 range
Description TCP1433
network object obj - 192.168.10.220
Home 192.168.10.220
network object obj - 192.168.10.220 - 1
Home 192.168.10.220
network object obj - 192.168.10.222
Home 192.168.10.222
network object obj - 192.168.10.2 - 04
host 192.168.10.2
network object obj - 192.168.10.7 - 02
Home 192.168.10.7
network object obj - 192.168.10.11
Home 192.168.10.11
network object obj - 192.168.10.11 - 01
Home 192.168.10.11
network object obj - 192.168.10.11 - 02
Home 192.168.10.11
network object obj - 192.168.10.11 - 03
Home 192.168.10.11
network object obj - 192.168.10.26
Home 192.168.10.26
network object obj - 192.168.10.26 - 01
Home 192.168.10.26
network object obj - 192.168.10.15
Home 192.168.10.15
network object obj - 192.168.10.11 - 04
Home 192.168.10.11
network object obj - 10.1.1.1
host 10.1.1.1
network object obj - 192.168.10.0
192.168.10.0 subnet 255.255.255.0
network object obj - 192.168.10.220 - 2
Home 192.168.10.220
network vpn-local object
192.168.10.0 subnet 255.255.255.0
object network vpn - ru
subnet 192.168.11.0 255.255.255.0
network obj_any object
subnet 0.0.0.0 0.0.0.0
network obj_any-01 object
subnet 0.0.0.0 0.0.0.0
object-group service syslog udp
Service Description syslog group
port-object eq syslog
object-group service udp zzzz
port-object eq syslog
object-group service sss udp
port-object eq syslog
object-group network sheep
object-network 192.168.10.0 255.255.255.0
object-network 192.168.11.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
outside_all of access allowed any ip an extended list
VPN_splitTunnelAcl list standard access allowed 192.168.0.0 255.255.0.0
VPN_splitTunnelAcl list standard access allowed 10.0.0.0 255.0.0.0
permit inside_nat0_outbound to access extended list ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.128
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 192.168.2.0 255.255.255.128
access-list extended inside_out allow ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list extended inside_out permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
scope of the inside_out to the list of permitted any one ip access
inside_out to the access list extended 192.168.11.0 allowed any ip 255.255.255.0
inside_out to the list of access permit tcp host 192.168.10.2 any eq smtp
inside_out to the list of access permit tcp any any eq smtp
access-list extended inside_out allow udp 192.168.10.0 255.255.255.0 host 10.1.1.1
access-list extended inside_out permit udp host 10.1.1.1 192.168.10.0 255.255.255.0
inside_out to the list of allowed extensive access icmp host 192.168.10.7 all
inside_out to the list of allowed extensive access a whole icmp
outside_zzz list of allowed ip extended access any external interface
outside_zzz list extended access permit tcp host 87.X.X.73 host 79.X.X.5 eq 1433
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq 1433
outside_zzz list extended access permitted tcp 207.126.144.0 255.255.240.0 eq 79.X.X.5 the smtp host
outside_zzz tcp extended access list refuse any host 79.X.X.5 eq smtp
outside_zzz access-list extended permit ip any host 79.X.X.5
outside_zzz of access allowed any ip an extended list
permit access list extended ip 192.168.10.0 outside_in 255.255.255.0 192.168.11.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 192.168.10.0 255.255.255.0
access extensive list ip 192.168.11.0 outside_in allow 255.255.255.0 any
outside_in list extended access permit tcp any host 192.168.10.15 eq 81
outside_in list extended access permit ip any host 192.168.10.5
access-list outside_in extended permit ip any host 79.X.X.4
outside_in list extended access permit tcp host 82.X.X.166 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 84.X.X.30 host 192.168.10.7 eq 1433
outside_in list extended access tcp refuse any host 192.168.10.7 eq 1433
outside_in list extended access permit tcp any host 192.168.10.3 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.11 eq 444
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 eq smtp host 192.168.10.11
outside_in list extended access permitted tcp 207.126.144.0 255.255.240.0 host 192.168.10.2 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.11 eq smtp
outside_in list extended access tcp refuse any host 192.168.10.2 eq smtp
outside_in list extended access permit tcp any host 192.168.10.2 eq smtp
outside_in list extended access permit udp any host 192.168.10.2 eq 443
outside_in list extended access permit tcp any host 192.168.10.3 eq 3389
outside_in list extended access permit tcp any host 192.168.10.2 eq 4125
outside_in list extended access permit tcp any host 192.168.10.11 eq https
outside_in list extended access permit tcp any host 192.168.10.2 eq https
outside_in list extended access allowed esp all the host 91.X.X.57
outside_in list extended access permit tcp any host 192.168.10.3 eq 1433
access-list extended outside_in permit ip host 91.X.X.57 all
access-list outside_in extended permit ip any host 79.X.X.5
access-list outside_in extended permit ip any host 79.X.X.2
outside_in list extended access permit tcp any host 79.X.X.6 eq 3389
outside_in list extended access permit tcp any host 192.168.10.220 eq 3389
outside_in list extended access permit tcp any host 79.X.X.5 eq 81
access extensive list permits all ip a outside_in
outside_in list extended access permit tcp host 91.X.X.178 host 192.168.10.7 eq 1433
outside_in list extended access permit tcp host 87.X.X.73 host 192.168.10.7 eq 1433
access-list extended qnap permit ip host 192.168.10.26 all
access-list extended qnap permit ip any host 192.168.10.26
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.10.0 255.255.255.0
permit phone_bypass to access extended list ip 192.168.10.0 255.255.255.0 host 10.1.1.1
phone_bypass list extended access allowed host 10.1.1.1 ip 192.168.2.0 255.255.255.0
phone_bypass to access extended list ip 192.168.2.0 allow 255.255.255.0 host 10.1.1.1
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
exploitation forest-size of the buffer 1024000
logging asdm-buffer-size 512
logging buffered information
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
Comments of MTU 1500
mask of local pool RemoteVPN 192.168.2.20 - 192.168.2.100 IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 631.bin
enable ASDM history
ARP timeout 14400
NAT (any, any) source static sheep sheep sheep destination static sheep
NAT source service (Interior, exterior) static obj - 192.168.10.7 79.X.X.5 TCP1433 TCP1433
NAT (inside, outside) source static obj - 192.168.10.7 interface service zzz zzz
NAT (inside, all) source static obj - 10.0.0.0 obj - 10.0.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
NAT (inside, all) source static obj - 192.168.10.0 obj - 192.168.10.0 destination static obj - 10.1.1.1 obj - 10.1.1.1
NAT (inside, all) source static obj - 10.1.1.1 obj - 10.1.1.1 destination static obj - 192.168.10.0 obj - 192.168.10.0
NAT (inside, all) source static obj - 192.168.0.0 obj - 192.168.0.0 destination static obj - 192.168.2.0 obj - 192.168.2.0
!
network object obj - 192.168.10.3
NAT (inside, outside) static service tcp 3389 3389 79.X.X.5
network object obj - 192.168.10.3 - 01
NAT (inside, outside) static 79.X.X.5 tcp 444 444 service
network object obj - 192.168.10.5
NAT (inside, outside) public static dns 79.X.X.3
network object obj - 192.168.10.7
NAT (inside, outside) interface static service tcp 3389 3389
network object obj - 192.168.10.220
NAT (inside, outside) static service tcp 3389 3389 79.X.X.6
network object obj - 192.168.10.220 - 1
NAT (inside, outside) static 79.X.X.6 tcp https https service
network object obj - 192.168.10.7 - 02
NAT (inside, outside) interface static tcp 8080 https service
network object obj - 192.168.10.11
NAT (inside, outside) static 79.X.X.5 tcp smtp smtp service
network object obj - 192.168.10.11 - 01
NAT (inside, outside) udp 443 443 service 79.X.X.5 static
network object obj - 192.168.10.11 - 02
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.11 - 03
NAT (inside, outside) static 79.X.X.5 tcp https https service
network object obj - 192.168.10.26
NAT (inside, outside) static 79.X.X.5 8080 8080 tcp service
network object obj - 192.168.10.26 - 01
NAT (inside, outside) static 79.X.X.5 tcp 8080 www service
network object obj - 192.168.10.15
NAT (inside, outside) static 79.X.X.5 tcp 81 www service
network obj_any object
NAT dynamic interface (indoor, outdoor)
network obj_any-01 object
NAT dynamic interface (guest, outdoor)
Access-group inside_out in interface inside
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 79.X.X.1 1
Route inside 10.0.0.0 255.0.0.0 192.168.10.4 1
Route outside 10.1.1.1 255.255.255.255 192.168.10.4 1
Route outside 192.168.11.0 255.255.255.0 79.X.X.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS Protocol RADIUS AAA server
reactivation impoverishment deadtime mode 1
AAA-server RADIUS (inside) host 192.168.10.7
key *.
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
http server enable 444
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
No vpn sysopt connection permit
Service resetoutside
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA 256 - aes - esp esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
card crypto outside_map 1 match for vpn
outside_map game 1 card crypto peer 91.X.X.57
card crypto outside_map 1 set of transformation-ESP-AES-SHA
outside_map map 1 lifetime of security association set seconds 28800 crypto
card crypto outside_map 1 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
lifetime 28800
Crypto isakmp nat-traversal 3600
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd dns 83.X.X.8 83.X.X.10
dhcpd outside auto_config
!
dhcpd address 192.168.10.50 - 192.168.10.100 inside
dhcpd dns 83.X.X.8 83.X.X.10 interface inside
dhcpd lease interface 600 inside
dhcpd interface to domain.com domain inside
!
Reviews of dhcpd address 192.168.4.50 - 192.168.4.100
Dhcpd lease 600 interface comments
Comments enable dhcpd
!
priority queue inside
priority-queue outdoors
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 93.170.32.1 Server
NTP 93.170.32.2 Server
NTP 89.145.68.17 Server prefer
WebVPN
allow outside
SVC image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 regex 'Windows NT'
SVC image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 2 regex "Windows CE"
enable SVC
Auto-signon allow ip 192.168.0.0 255.255.0.0 basic auth-type
internal l2l group policy
attributes of the l2l group policy
VPN-idle-timeout no
Protocol-tunnel-VPN IPSec
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
value by default-field DOMAINl.local
internal VPNv group strategy
attributes of Group Policy VPNv
value of server DNS 192.168.10.11
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_splitTunnelAcl
field default value domain.com
password username test * encrypted privilege 0
username test attributes
VPN-group-policy VPNv
ID password cisco * encrypted
roger password username * encrypted privilege 15
attributes global-tunnel-group DefaultRAGroup
address pool RemoteVPN
attributes global-tunnel-group DefaultWEBVPNGroup
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
type tunnel-group VPNv remote access
attributes global-tunnel-group VPNv
address pool RemoteVPN
Group-LOCAL RADIUS authentication server
Group Policy - by default-VPNv
IPSec-attributes tunnel-group VPNv
pre-shared key *.
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
management of the password password-expire-to-days 90
tunnel-group 91.X.X.57 type ipsec-l2l
IPSec-attributes tunnel-group 91.X.X.57
pre-shared key *.
!
Global class-card class
match default-inspection-traffic
class-map qnap_band
corresponds to the list of access qnap
The class-card phone
corresponds to the phone_bypass access list
!
!
Policy-map global_policy
Global category
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Policy-map qnap_access
class qnap_band
512000 64000 police entry
512000 64000 release of police
phone class
set the advanced options of the tcp-State-bypass connection
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect the pptp
inspect the rtsp
inspect the sip
inspect the skinny
Policy-map phone_bypass_policy
phone class
set the advanced options of the tcp-State-bypass connection
!
service-policy-international policy global
service-policy qnap_access to the inside interface
privilege level 3 mode exec cmd command perfmon
privilege level 3 mode exec cmd ping command
mode privileged exec command cmd level 3
logging of the privilege level 3 mode exec cmd commands
privilege level 3 exec command failover mode cmd
privilege level 3 mode exec command packet cmd - draw
privilege level 5 see fashion exec running-config command
order of privilege show level 3 exec mode reload
privilege level 3 exec mode control fashion show
privilege see the level 3 exec firewall command mode
privilege see the level 3 exec mode command ASP.
processor mode privileged exec command to see the level 3
privilege command shell see the level 3 exec mode
privilege show level 3 exec command clock mode
privilege exec mode level 3 dns-hosts command show
privilege see the level 3 exec command access-list mode
logging of orders privilege see the level 3 exec mode
privilege, level 3 see the exec command mode vlan
privilege show level 3 exec command ip mode
privilege, level 3 see fashion exec command ipv6
privilege, level 3 see the exec command failover mode
privilege, level 3 see fashion exec command asdm
exec mode privilege see the level 3 command arp
command routing privilege see the level 3 exec mode
privilege, level 3 see fashion exec command ospf
privilege, level 3 see the exec command in aaa-server mode
AAA mode privileged exec command to see the level 3
privilege see the level 3 exec mode command crypto
privilege, level 3 see fashion exec command vpn-sessiondb
privilege level 3 exec mode command ssh show
privilege, level 3 see fashion exec command dhcpd
privilege, level 3 see the vpnclient command exec mode
privilege, level 3 see fashion exec command vpn
privilege level see the 3 blocks from exec mode command
privilege, level 3 see fashion exec command wccp
privilege, level 3 see the exec command in webvpn mode
privilege control module see the level 3 exec mode
privilege, level 3 see fashion exec command uauth
privilege see the level 3 exec command compression mode
level 3 for the show privilege mode configure the command interface
level 3 for the show privilege mode set clock command
level 3 for the show privilege mode configure the access-list command
level 3 for the show privilege mode set up the registration of the order
level 3 for the show privilege mode configure ip command
level 3 for the show privilege mode configure command failover
level 5 mode see the privilege set up command asdm
level 3 for the show privilege mode configure arp command
level 3 for the show privilege mode configure the command routing
level 3 for the show privilege mode configure aaa-order server
level mode 3 privilege see the command configure aaa
level 3 for the show privilege mode configure command crypto
level 3 for the show privilege mode configure ssh command
level 3 for the show privilege mode configure command dhcpd
level 5 mode see the privilege set privilege to command
privilege level clear 3 mode exec command dns host
logging of the privilege clear level 3 exec mode commands
clear level 3 arp command mode privileged exec
AAA-server of privilege clear level 3 exec mode command
privilege clear level 3 exec mode command crypto
level 3 for the privilege cmd mode configure command failover
clear level 3 privilege mode set the logging of command
privilege mode clear level 3 Configure arp command
clear level 3 privilege mode configure command crypto
clear level 3 privilege mode configure aaa-order server
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Thanks in advance for any help.
Wojciech salvation,
Based on this info, I think that you can run in CSCtb53186, this bug has affected many versions before 8.3 and when fixed DEVs they were always be some details in waiting, and they created CSCtd36473 to these outstanding issues. CSCtd36473 is fixed on 8.3.1.1 intermediate version however is not fixed on 8.3.1 so I suggest you spend at least 8.3.2
Read this:
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 79.X.X.2list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 91.Y.Y.57#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 502, #pkts decrypt: 502, #pkts check: 502
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0outgoing esp sas:
SPI: 0xDE50E6EA (3729843946)
transform: aes-256-esp esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 425984, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/28234)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
VPN CTX = 0x015F913C
By peer IP = 192.168.11.0
Pointer = 0xD98CACD0
State = upwards
Flags = BA + ESP
ITS = 0X019235E7
SPI = 0xDE50E6EA
Group = 0
Pkts = 0
Pkts bad = 0
Incorrect SPI = 0
Parody = 0
Bad crypto = 0
Redial Pkt = 0
Call redial = 0
VPN = filterhits = 0, user_data is0x15f913c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0hits = 44437, user_data is0xce165c, cs_id = 0xd83ad0e8, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.10.0 SRC, mask is 255.255.255.0, port = 0
IP/ID=192.168.11.0 DST, mask is 255.255.255.0, port = 0, dscp = 0 x 0As you can see above we are a different context to encrypt the traffic (not used with the spi of the sh cry ipsec his)
If you do the same packet tracer, but this time with the details of the key words at the end probs you will get to see that we use 0xce165c.
Just looked at your configuration again and before you do the upgrade please correct this:
list of access vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
extended vpn 192.168.11.0 ip access list allow 255.255.255.0 192.168.10.0 255.255.255.0
Just remove the second line:
no -access extended vpn ip 192.168.11.0 list allow 255.255.255.0 192.168.10.0 255.255.255.0
Also:
No outside_map interface card crypto outside
and then:
outside_map interface card crypto outside
See if that helps before perforrming upgrade,
Kind regards.
-
Have a vpn site to site of work, added second who has problems
We've had a success vpn site to site working for several months now. It's a 5510 ASA to Headquarters for an ASA 5505 in a branch in another State. We add a second vpn site to site in another State this time of the AC to a Sonicwall TZ100. After connecting the Sonicwall to the Qwest modem in bridge mode tunnel came right up. I was unable to ping all off the coast of the private IPs to the HQ of the new branch, but was able to use the remote desktop in servers and workstations at Headquarters. Also, all computers appear when you browse the network of the new branch.
The first part, we are able to ping both directions and use remote desktop in both directions.
When using tracers of package in ASDM on the ASA HQ and rattling one of the IPs in HQ protected network to an IP address in the new network of agencies EXEMPT from NAT looks good, but when it hits the first NAT it fits on the "dynamic translation to the pool (10.1.255.254) 10 [Interface PAT]" (which is the default route to all VLAN access to Internet).
Next NAT (subtype - host-limits) is more beautiful and this one goes to the IP address of the external interface of the ASA 5510 HQ, but then the third NAT (subtype - rpf-check) returns to the ' 10 (10.1.255.254) Interface PAT] "and the package is ABANDONED. Also there is no step VPN in Packet Tracer after NAT.
So obviously the HQ ASA 5510 does not consider this to be interesting traffic but I don't know why.
Here is the output of sh crypto ipsec his ffrom HQ ASA:
Interface: outside
Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.Xaccess-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.14.72#pkts program: 229450, #pkts encrypt: 229450, #pkts digest: 229450
#pkts decaps: 172516, #pkts decrypt: 172516, #pkts check: 172516
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 229450, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 91860025SAS of the esp on arrival:
SPI: 0x88957B9C (2291497884)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0 x 91860025 (2441478181)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 59068
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X
access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
local ident (addr, mask, prot, port): (10.1.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
current_peer: 65.102.x.x#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: A204BAE2SAS of the esp on arrival:
SPI: 0xDA8C653A (3666634042)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84670
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0xA204BAE2 (2718218978)
transform: esp-3des esp-md5-hmac no compression
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 2600960, crypto-card: outside_map
calendar of his: service life remaining key (s): 84621
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Here is the output of sh crypto isakmp his on HQ ASA:
3 peer IKE: 65.102.x.x
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
Here is the config:
ASA Version 8.0 (4)
!
hostname COMPASA
domain COMPfirm.com
activate the encrypted password of TMACBloMlcBsq1kp
TMACBloMlcBsq1kp encrypted passwd
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP 209.X.X.X 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
10.2.2.1 IP address 255.255.255.0
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
passive FTP mode
clock timezone MDT - 7
clock to summer time recurring MDT
DNS domain-lookup outside
DNS server-group DefaultDNS
Name-Server 4.2.2.1
domain COMPfirm.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp
list of allowed inbound tcp extended access any host 209.X.X.X eq ftp - data
list of allowed inbound tcp extended access any host 209.X.X.X eq ssh
list of allowed inbound tcp extended access any host 209.X.X.X eq imap4
list of allowed inbound tcp extended access any host 209.X.X.X eq pop3
list of allowed inbound tcp extended access any host 209.X.X.X eq www
list of allowed inbound tcp extended access any host 209.X.X.X eq https
list of allowed inbound tcp extended access any host 209.X.X.X eq smtp
list of extended inbound icmp permitted access a whole
access list entering note MMS-1755
list incoming extended access permit tcp any eq 1755 host inactive 209.X.X.X
inbound access list notice MMS - UDP
list of inbound udp allowed extended access all eq 1755 host inactive 209.X.X.X
DMZ list extended access permit tcp host 10.2.2.2 10.1.1.11 host eq smtp
DMZ list extended access permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
access-list extended sheep allowed ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.0.0.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
access extensive list ip 10.1.0.0 vpnsplit allow 255.255.0.0 172.16.22.0 255.255.255.0
access extensive list ip 10.1.10.0 encrypt_acl allow 255.255.255.0 10.0.0.0 255.255.255.0
permit encrypt_acl to access extended list ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
global_mpc list extended access permitted tcp a whole
access-list encrypt_acl-30 scope ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
access-list encrypt_acl-30 permit extended ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
management of MTU 1500
IP local pool vpnpool 172.16.22.1 - 172.16.22.254 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 61551.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 10 209.X.X.X netmask 255.255.255.0
Global interface (10 Interior)
Global interface (dmz) 10
NAT (inside) 0 access-list sheep
NAT (inside) 10 0.0.0.0 0.0.0.0
NAT (dmz) 10 0.0.0.0 0.0.0.0
static (dmz, external) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
static (inside, outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
static (dmz, inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
Access-group interface incoming outside
Access-group in interface dmz dmz
Route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
Route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Ray of AAA-server vpn Protocol
AAA-server vpn (inside) host 10.1.1.12
key--> ZZZZZZ
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
local AAA authentication attempts 16 max in case of failure
Enable http server
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Sysopt noproxyarp inside
Sysopt noproxyarp dmz
Sysopt noproxyarp management
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac HQset
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 10 the transform-set ESP-3DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 10 28800 seconds
Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
Crypto-map dynamic outside_dyn_map 10 the value reverse-road
card crypto outside_map 20 match address encrypt_acl
card crypto outside_map 20 game peers 67.42.X.X
outside_map 20 game of transformation-HQset crypto card
life safety association set card crypto outside_map 20 28800 seconds
card crypto outside_map 20 set security-association life kilobytes 4608000
card crypto 30 match address encrypt_acl-30 outside_map
crypto outside_map 30 peer 65.102.X.X card game
crypto outside_map 30 card value transform-set HQset
86400 seconds, duration of life card crypto outside_map 30 set - the security association
card crypto outside_map 30 set security-association life kilobytes 4608000
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 50
Telnet 10.1.0.0 255.255.0.0 inside
Telnet timeout 15
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 10.1.0.0 255.255.0.0 inside
SSH timeout 30
Console timeout 0
management-access inside
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
threat scan-threat detection
threat detection statistics
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
Server NTP 192.43.244.18
WebVPN
allow outside
SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
enable SVC
tunnel-group-list activate
internal Clients_VPN group strategy
Group Policy Clients_VPN attributes
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
Protocol-tunnel-VPN IPSec
enable IPSec-udp
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpnsplit
value by default-field COMPfirm.local
Split-dns value COMPfirm.local
the address value vpnpool pools
internal clientgroup group policy
attributes of the strategy of group clientgroup
value of server WINS 10.1.1.12
value of server DNS 10.1.1.12
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelall
WebVPN
SVC Dungeon-Installer installed
time to generate a new key of SVC 30
SVC generate a new method ssl key
SVC request no svc default
ssluser1 encrypted password username
username bcurtis encrypted password privilege 0 v
username privilege 15 WPDR encrypted password
username admin privilege 15 encrypted password
username privilege password encrypted XXXXXXX 0
tunnel-group M & J type remote access
tunnel-group M & J - global attributes
address vpnpool pool
Vpn server authentication group
strategy - by default-group Clients_VPN
tunnel-group M & J ipsec-attributes
pre-shared-key *.
type tunnel-group sslgroup remote access
tunnel-group sslgroup General-attributes
address vpnpool pool
Vpn server authentication group
Group Policy - by default-clientgroup
tunnel-group sslgroup webvpn-attributes
activation of the Group sslgroup_users alias
tunnel-group 67.42.X.X type ipsec-l2l
IPSec-attributes tunnel-group 67.42.X.X
pre-shared-key *.
tunnel-group 65.102.X.X type ipsec-l2l
IPSec-attributes tunnel-group 65.102.X.X
pre-shared-key *.
!
Global class-card class
corresponds to the global_mpc access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 768
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Global category
IPS inline sensor vs0 relief
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
: endIs the problem may be due to the fact that my 2 new ACL to fall "encrypt_acl-30" after "access-list extended global_mpc permit tcp any any" in the config and it flows into the implied all refuse?
Thanks for looking at this.
Rather than replace the static route, you can simply add a new static route to 10.1.8.0/24 as follows:
outdoor 10.1.8.0 255.255.255.0 209.X.X.X 1
Because it is more precise it will take precedence over your most generic static route from 10.1.0.0/16 inward.
Good spot btw!
-
Problem with the VPN site to site for the two cisco asa 5505
Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.
Cisco Config asa1
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access managementdhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco ASA 2 config
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the httpFor IKEv2 configuration: (example config, you can change to encryption, group,...)
-You must add the declaration of exemption nat (see previous answer).
-set your encryption domain ACLs:
access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip
-Set the Phase 1:
Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400-Set the Phase 2:
Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol-set the Group of tunnel
tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123
IKEv2 authentication local pre-shared-key cisco123-Define the encryption card
address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity addressOn your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)
Thank you
-
problem with users to access remote vpn site to site vpn network
I did the Setup: asa 5510 configured remote access vpn. My vpn users receive asa 5510 range 192.168.50.0/24 addresses and users access my local lan 192.168.0.0/24. the second side of the local lan 192.168.0.0/24 on asa 5505, I did a vpn site-to-site with network 192.168.5.0/24.on that both sides of a site are asa 5505. inside the interface asa 5510 Elise 192.168.0.10 and inside the interface asa 5505 have address 192.168.0.17.third asa 5505 networked 192.168.5.0/24 address 192.168.5.1. I want my remote access vpn users can access resources on network 192.168.5.0/24. I create the static route on inside the asa 5510 static route 192.168.5.0 interface 255.255.255.0 192.168.0.17 and a static route on inside the asa 5505 static route 192.168.50.0 interface 255.255.255.0 192.168.0.10, but it's not working. What do I do?
execution of the configuration of my asa 5510 is
Result of the command: "show run"
: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name dri.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.201
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 444
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object network DMZ
host 172.16.20.200
object network Inside_DMZ
host 192.168.0.20
object service rdp
service tcp destination eq 3389
object network DRI_PS99
host 192.168.0.54
object service microsoft_dc
service tcp destination eq 445
object service https448
service tcp destination eq 448
object network mail_server_internal
host 172.16.20.201
object service Acronis_remote
service tcp destination eq 9876
object service Acronis_25001
service tcp destination eq 25001
object service HTTP3000
service tcp destination eq 3000
object network VPNPOOL
subnet 192.168.50.0 255.255.255.0
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object object admin_port
service-object object ssl
service-object object tls
service-object object https448
object-group service DM_INLINE_SERVICE_2
service-object object admin_port
service-object object https448
service-object object ssl
service-object object tls
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_3
service-object object admin_port
service-object object https448
service-object object ssl
service-object tcp destination eq smtp
service-object object tls
service-object object Acronis_remote
service-object tcp destination eq www
service-object object Acronis_25001
service-object object microsoft_dc
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object object Acronis_25001
service-object object Acronis_remote
service-object object microsoft_dc
service-object tcp destination eq www
service-object tcp
service-object ip
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object mail
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ extended permit object-group DM_INLINE_SERVICE_4 172.16.20.0 255.255.255.0 any
access-list DMZ extended permit object-group DM_INLINE_SERVICE_3 host 172.16.20.201 any
access-list DMZ extended permit object-group DM_INLINE_PROTOCOL_1 172.16.20.0 255.255.255.0 any inactive
access-list DMZ extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
object network mail
nat (DMZ,outside) static x.x.x.180
access-group outside_access_in in interface outside
access-group DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 178.254.133.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record dripolisa
aaa-server DRI protocol ldap
aaa-server DRI (inside) host 192.168.0.20
ldap-base-dn DC=dri,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet 192.168.1.12
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 195.222.96.223
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.14-192.168.0.45 inside
!
dhcpd address 172.16.20.2-172.16.20.150 DMZ
dhcpd dns x.x.x.177 interface DMZ
dhcpd auto_config outside interface DMZ
dhcpd option 6 ip x.x.x.177 interface DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_x.x.x.223 internal
group-policy GroupPolicy_x.x.x.223 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 192.168.0.20 192.168.0.254
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-network-list value Split_Tunnel_List
default-domain value dri.local
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
address-pool vpnadrese
authentication-server-group DRI
default-group-policy drivpn
tunnel-group drivpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.223 type ipsec-l2l
tunnel-group x.x.x.223 general-attributes
default-group-policy GroupPolicy_x.x.x.223
tunnel-group x.x.x.223 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect ip-options
inspect netbios
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:69c651e94663fc570b67e0c4c0dcbae1
: endrunning config asa 5505
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address
logging recipient-address level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.13.74.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:4767b6764cb597f0a7b8b138587d4192
: endThank you
Hello
I have previously edited the my initial response was in fact not necessary since you were actually using full Tunnel
EDIT: Actually just noticed the the VPN client isnt using Split Tunnel. Its Full Tunnel at the moment since it doesnt have the "split-tunnel-policy tunnelspecified"
So you don't really have any of those.
Please mark the question answers and/or assess response
Ask more if necessary
-Jouni
-
Hi all
I have a very weird problem (at least for me)
I have a UC520 connected to an ASA5510 via the VPN Site to Site.
I can ping from clients behind customer UC520 behind ASA5510.
I can ping from clients behind ASA5510 customer behind UC520
I can access services (such as RDP) clients behind customer UC520 behind ASA5510
I can't go to services (such as RDP, HTTP) clients behind customer ASA5510 behind UC520
Does anyone have an idea where I should look? I tried to remove any access list by (temporarily) to a permit ip everything any line in these.
I think it must be some sort of NAT problem, but I'm not sure.
Thanks in advance
You said your UC logs revealed nothing trying to connect a.11 et.12, this means that traffic is never achieved to the CPU at all, got to the UC and was abandoned before entering the LAN or traffic got to the hosts but never returned.
Internal hosts to other outgoing routes defined on them (unlikely but possible), and you can check that traffic is through the UC outside interface at least?
-
Cisco ASA 5505 VPN Site to Site
Hi all
First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..
I'd appreciate any help that can be directed to this problem please. Slowly losing my mind
Please see details below:
Two ADMS are 7.1
IOS
ASA 1
Nadia
:
ASA Version 9.0 (1)
!
hostname PAYBACK
activate the encrypted password of HSMurh79NVmatjY0
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
2KFQnbNIdI.2KYOU encrypted passwd
names of
local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
link Trunk Description of SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk vlan 1 native
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
nameif outside
security-level 0
IP 92.51.193.158 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
IP 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
address 192.168.20.1 255.255.255.0
!
Vlan30 interface
nameif printers
security-level 100
192.168.30.1 IP address 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
192.168.40.1 IP address 255.255.255.0
!
connection line banner welcome to the Payback loyalty systems
boot system Disk0: / asa901 - k8.bin
passive FTP mode
summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
domain-lookup DNS servers
DNS lookup domain printers
DNS domain-lookup wireless
DNS server-group DefaultDNS
Server name 83.147.160.2
Server name 83.147.160.130
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
ftp_server network object
network of the Internal_Report_Server object
Home 192.168.20.21
Description address internal automated report server
network of the Report_Server object
Home 89.234.126.9
Description of server automated reports
service object RDP
service destination tcp 3389 eq
Description RDP to the server
network of the Host_QA_Server object
Home 89.234.126.10
Description QA host external address
network of the Internal_Host_QA object
Home 192.168.20.22
host of computer virtual Description for QA
network of the Internal_QA_Web_Server object
Home 192.168.20.23
Description Web Server in the QA environment
network of the Web_Server_QA_VM object
Home 89.234.126.11
Server Web Description in the QA environment
service object SQL_Server
destination eq 1433 tcp service
network of the Demo_Server object
Home 89.234.126.12
Description server set up for the product demo
network of the Internal_Demo_Server object
Home 192.168.20.24
Internal description of the demo server IP address
network of the NETWORK_OBJ_192.168.20.0_24 object
subnet 192.168.20.0 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_26 object
255.255.255.192 subnet 192.168.50.0
network of the NETWORK_OBJ_192.168.0.0_16 object
Subnet 192.168.0.0 255.255.0.0
service object MSSQL
destination eq 1434 tcp service
MSSQL port description
VPN network object
192.168.50.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.50.0_24 object
192.168.50.0 subnet 255.255.255.0
service object TS
tcp destination eq 4400 service
service of the TS_Return object
tcp source eq 4400 service
network of the External_QA_3 object
Home 89.234.126.13
network of the Internal_QA_3 object
Home 192.168.20.25
network of the Dev_WebServer object
Home 192.168.20.27
network of the External_Dev_Web object
Home 89.234.126.14
network of the CIX_Subnet object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the NETWORK_OBJ_84.39.233.50 object
Home 84.39.233.50
network of the NETWORK_OBJ_92.51.193.158 object
Home 92.51.193.158
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
the tcp destination eq ftp service object
the purpose of the tcp destination eq netbios-ssn service
the purpose of the tcp destination eq smtp service
service-object TS
the Payback_Internal object-group network
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
service-object TS
service-object, object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object RDP
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
object-group service DM_INLINE_SERVICE_5
purpose purpose of the MSSQL service
service-object RDP
service-object TS
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service DM_INLINE_SERVICE_6
service-object TS
service-object, object TS_Return
the purpose of the service tcp destination eq www
the purpose of the tcp destination eq https service
Note to outside_access_in to access list that this rule allows Internet the interal server.
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-list of FTP access
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list of SMTP access
Note to outside_access_in to access list Net Bios
Comment from outside_access_in-SQL access list
Comment from outside_access_in-list to access TS - 4400
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server
access host access-list outside_access_in note rule internal QA
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www
Notice on the outside_access_in of the access-list access to the internal Web server:
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-HTTP access list
Comment from outside_access_in-RDP access list
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server
Note to outside_access_in to access list rule allowing access to the demo server
Notice on the outside_access_in of the access-list allowed:
Comment from outside_access_in-RDP access list
Comment from outside_access_in-list to access MSSQL
outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
Note to outside_access_in access to the development Web server access list
outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
AnyConnect_Client_Local_Print deny any4 any4 ip extended access list
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137
AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns
Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0
permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
Enable logging
information recording console
asdm of logging of information
address record
the journaling recipient
level alerts
Outside 1500 MTU
Within 1500 MTU
MTU 1500 servers
MTU 1500 printers
MTU 1500 wireless
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-711 - 52.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (wireless, outdoors) source Dynamics one interface
NAT (servers, outside) no matter what source dynamic interface
NAT (servers, external) static source Internal_Report_Server Report_Server
NAT (servers, external) static source Internal_Host_QA Host_QA_Server
NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM
NAT (servers, external) static source Internal_Demo_Server Demo_Server
NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
NAT (servers, external) static source Internal_QA_3 External_QA_3
NAT (servers, external) static source Dev_WebServer External_Dev_Web
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1ASA 2
ASA Version 9.0 (1)
!
Payback-CIX hostname
activate the encrypted password of HSMurh79NVmatjY0
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
Description this port connects to the local network VIRTUAL 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
IP 84.39.233.50 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
banner welcome to Payback loyalty - CIX connection line
passive FTP mode
summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00
DNS domain-lookup outside
DNS lookup field inside
DNS server-group defaultDNS
Name-Server 8.8.8.8
Server name 8.8.4.4
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
network of the host-CIX-1 object
host 192.168.100.2
Description This is the VM server host machine
network object host-External_CIX-1
Home 84.39.233.51
Description This is the external IP address of the server the server VM host
service object RDP
source between 1-65535 destination eq 3389 tcp service
network of the Payback_Office object
Home 92.51.193.158
service object MSQL
destination eq 1433 tcp service
network of the Development_OLTP object
Home 192.168.100.10
Description for Eiresoft VM
network of the External_Development_OLTP object
Home 84.39.233.52
Description This is the external IP address for the virtual machine for Eiresoft
network of the Eiresoft object
Home 146.66.160.70
Contractor s/n description
network of the External_TMC_Web object
Home 84.39.233.53
Description Public address to the TMC Web server
network of the TMC_Webserver object
Home 192.168.100.19
Internal description address TMC Webserver
network of the External_TMC_OLTP object
Home 84.39.233.54
External targets OLTP IP description
network of the TMC_OLTP object
Home 192.168.100.18
description of the interal target IP address
network of the External_OLTP_Failover object
Home 84.39.233.55
IP failover of the OLTP Public description
network of the OLTP_Failover object
Home 192.168.100.60
Server failover OLTP description
network of the servers object
subnet 192.168.20.0 255.255.255.0
being Wired network
192.168.10.0 subnet 255.255.255.0
the subject wireless network
192.168.40.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.100.0_24 object
255.255.255.0 subnet 192.168.100.0
network of the NETWORK_OBJ_192.168.10.0_24 object
192.168.10.0 subnet 255.255.255.0
network of the Eiresoft_2nd object
Home 137.117.217.29
Description 2nd Eiresoft IP
network of the Dev_Test_Webserver object
Home 192.168.100.12
Description address internal to the Test Server Web Dev
network of the External_Dev_Test_Webserver object
Home 84.39.233.56
Description This is the PB Dev Test Webserver
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_2
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_3
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_4
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_5
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_6
service-object MSQL
service-object RDP
the Payback_Intrernal object-group network
object-network servers
Wired network-object
wireless network object
object-group service DM_INLINE_SERVICE_7
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_8
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_9
service-object MSQL
service-object RDP
object-group service DM_INLINE_SERVICE_10
service-object MSQL
service-object RDP
the tcp destination eq ftp service object
object-group service DM_INLINE_SERVICE_11
service-object RDP
the tcp destination eq ftp service object
outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1
Note to access list OLTP Development Office of recovery outside_access_in
outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group
Comment from outside_access_in-access Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group
Note to outside_access_in access to OLTP for target recovery Office Access list
outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group
Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server
outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group
Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft
outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group
Note to outside_access_in access from the 2nd IP Eiresoft access list
outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group
outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group
outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source Dynamics one interface
NAT (inside, outside) static source CIX-host-1 External_CIX-host-1
NAT (inside, outside) static source Development_OLTP External_Development_OLTP
NAT (inside, outside) static source TMC_Webserver External_TMC_Web
NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP
NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover
NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 92.51.193.156 255.255.255.252 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: endHello
There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.
All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.
Here are a few suggestions on what to change
ASA1
Minimal changes
the object of the LAN network
192.168.10.0 subnet 255.255.255.0
being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.
Other suggestions
These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.
PAT-SOURCE network object-group
source networks internal PAT Description
object-network 192.168.10.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.40.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
no nat (wireless, outdoors) source Dynamics one interface
no nat (servers, outside) no matter what source dynamic interface
The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.
Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.
network of the SERVERS object
subnet 192.168.20.0 255.255.255.0
network of the VPN-POOL object
192.168.50.0 subnet 255.255.255.0
NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL
no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination
The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
ASA2
Minimal changes
the object of the LAN network
255.255.255.0 subnet 192.168.100.0
being REMOTE-LAN network
192.168.10.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination
That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.
Finally, we remove the old rule that generated the ASDM.
Other suggestions
PAT-SOURCE network object-group
object-network 192.168.100.0 255.255.255.0
NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source
No source (indoor, outdoor) nat Dynamics one interface
The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.
no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.
I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.
Hope this makes any sense and has helped
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary
-Jouni
-
VPN site to Site from one-way data (need help)
Hello
Scenario:
VPN site to Site with Cisco 837 routers:
Place: Clients and printers
Site B: server queues and Print
Site A can communicate via VPN using RDP to site B, very well.
Question:
Site B cannot send print jobs to printers on the Site A. also unable to telnet and other access devices on the Site A of the Site (B) Pings work correctly but to all devices.
Debugging on site an access-list 110 showed no response traffic to the Site B via the VPN?
I tried change ip tcp adjust 1452 but not good...
Attached configs.
An IOS - c837-k9o3y6 - mz.123 - 4.T3.bin site
SITE B IOS - c837-k9o3sy6 - mz.123 - 2.XC2.bin
Any help would be appreciated.
Thank you very much...
Thank you for including the configs and IOS versions. Looks like you hit a bug known to FW IOS (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), you can perform debugging as described in details to see for sure. It is difficult to understand what router would be the culprit in a scenario when both run on a tunnel L2L CBAC, but probably RouterA is dropping packets. This would also explain why pings work but TCP connections are not.
I would upgrade TWO routers to be the same version anyway, you encounter far fewer problems in this way, but make sure that you upgrade to one fixed-In version (or later version), has to work around the problem.
-
VPN site to site UP, but no traffic
Dear friends,
I did a VPN site to site using ASA 5555 02 in each site running the Version of the software 9.2 (4).
The VPN is UP, as shown below:
ASA-SSP-Pri (config) # sh isak his
There are no SAs IKEv1
IKEv2 SAs:
Session-id: 1, State: UP-ACTIVE, IKE County: 1, number of CHILDREN: 1
Tunnel-id Local remote status role
201.23.100.130/500 268373031 200.174.36.19/500 LOAN MACHINE
BA: AES - CBC, keysize: 256, Hash: SHA96, Grp:5 DH, Auth sign: PSK, Auth check: PSK
Duration of life/active: 86400/272 sec
His child: selector local 10.69.0.0/0 - 10.69.0.255/65535
selector of distance 10.12.20.0/0 - 10.12.20.255/65535
SPI ESP/output: 0xf89430e6/0x86a5cd8fBut when I try to ping from one site to another, is not possible, the result of the ping command is '?
I did some research on this problem and a lot of people say that Miss crypto isakmp nat-traversal 20 command, but this command is already enabled.
Exempt from NAT is enabled and I did tests of deactivation as well.
Hello
The last thing I think is that there is a SPINNAKER twice on the table of the asp and that is why the traffic is not encrypted everything seems correct, run the following command on the ASA:
clear crypto ipsec its inactive
test again
-
Hello please could someone help me regarding my PROBLEM with VPN site-to-site.
I have installation of gateway to gateway unfortunetly I don't have any static IP address, so I have 2 accounts of DynDNS.org on two installation Sites. The two RV042 connect to another router/Modem.
I put the two as router in router Mode and not as a gateway. The VPN status remains tab just to "waiting for connection" I can see the dynamic IP address to connect remotely on the main site and distance from each other. I can ping so two dyndns names. But unable to connect...
The VPN log shows the following.
ERROR: error report asynchronous network on eth1 to message to the port of 105.237.1.xx 500, complainant 192.168.137.153: no route to the host [errno 148, original ICMP type 3 code 1 (unauthenticated)]
What is the main site and 192.168.138.0 the remote site, the main site has a subnet of 192.168.137.0
Please could someone help me or point me in the right direction? Thanks in advance.
Hi Stephen, it may be a few problems. The first is maybe that you said that you have a modem/router device, this means that it is for the RV042 nating. If that's the case then the modems/routers upstream need port forwarding to go to the RV042. ICMP type 3 is a destination unreachable error. That means subnet remote th could not be reached by the applicant rv042. This can withdraw your NAT problem with modems/routers.
So, first thing I would do is port before all the RV042 services to make sure that the firewall on the modems/routers aren't pipe upward works.
-Tom
Please mark replied messages useful
Maybe you are looking for
-
Cannot install driver for hp pavilion dv4-2045dx cd player
Computer: HP Pavilion dv4 2045dx using Windows 7 (64-bit) I currently have problems with my computer's CD drive. He has been unable to read discs of any kind of music, DVDS and software programs for several months now. The main problem seems to be
-
Knoppix 3.6 on working Tecra A3
Finally, I installed Knoppix 3.6 on a separate partition created using Partition magic.1. his works although not very strong.2. battery monitoring works3 modem works using slmodem2.9.9epre2.4 fn keys to control the brightness screen work5. press on p
-
Hello I'm new to the Forum and I need help with a problem. My laptop only turns on when I press the power button. A small light flashes for a while, but other wise, nothing happens. Above the light that blinks, is a symbol of... small lightning bolt
-
HP Pavilion - 17-f184ca: processor upgrade
Hello How can know witch cpu are compatible with my HP Pavilion computer - 17-f184ca Model N °: J9M13UASerial No.: [personal information]
-
Using variables shared between the different versions of labview
Hello I look at the use of variables shared between two different versions of LabVIEW. We have a 2 of the PXI system and a single PC. We are currently updating the code on the PXI system to 2014, but the PC still work 8.2.1. We now need a map of ARIN