Quick question on site to site vpn to ASA 8.2 code
Hi, I seem to remember that if you change the settings of vpn through the CLI you must remove the front interface cryptographic card & reapply after. This is always the case - that is to say you have to have the existing vpn downtime when counterparts added new vpn - FYI we run code 8.2 for our ASA...
I can't imagine this to be the case...
TIA
Mark
Hello
There is no need to remove the encryption from the interface card more.
If you delete the peer say... you get a card crypto incomplete... error but that's all.
Federico.
Tags: Cisco Security
Similar Questions
-
Order of operations NAT on Site to Site VPN Cisco ASA
Hello
I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:
Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.
But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.
inside_map crypto 50 card value transform-set ESP-3DES-SHA
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 General-attributes
Group Policy - by default-PHX_HK
IPSec-attributes tunnel-group 100.1.1.1
pre-shared key *.
internal PHX_HK group policy
PHX_HK group policy attributes
VPN-filter no
Protocol-tunnel-VPN IPSec svc webvpn
card crypto inside_map 50 match address outside_cryptomap_50
peer set card crypto inside_map 50 100.1.1.1
inside_map crypto 50 card value transform-set ESP-3DES-SHA
inside_map crypto 50 card value reverse-road
the PHX_Local object-group network
host of the object-Network 31.10.11.10
host of the object-Network 31.10.11.11
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
the HK_Remote object-group network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local
outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1
public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255
public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255
public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255
public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255
He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:
the PHX_Local1 object-group network
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote
inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote
Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.
Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.
Thank you
Kind regards
Thomas
Hello
I think you could have said the original question in a way that could be missleading. In other words, if I understand now.
From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.
Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.
If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.
Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.
You have these guests who were not able to use the VPN L2L
31.10.10.10 10.17.128.20
31.10.10.11 10.17.128.21
31.10.10.12 10.17.128.22
31.10.10.13 10.17.128.23
IF you want them to go to the VPN L2L with their original IP address then you must configure
object-group, LAN->
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
object-group, REMOTE network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
IF you want to use the L2L VPN with the public IP address, then you must configure
object-group, LAN
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
object-group, REMOTE network
host of the object-Network 102.1.1.10
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.
Or you can of course use the same "object-group" as currently but change the content in an appropriate manner
Be sure to mark it as answered if it was answered.
Ask more if necessary
-Jouni
-
Troubleshooting IPSec Site to Site VPN between ASA and 1841
Hi all
in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.
I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).
I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.
It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),
On the ASA:
Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.
address of the peers: 217.86.154.120
Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.ccaccess extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
current_peer: 217.xx.yy.zz#pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: 39135054
current inbound SPI: B2E9E500SAS of the esp on arrival:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4374000/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, PFS 2 group}
slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
calendar of his: service life remaining (KB/s) key: (4373976/1598)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001Output of the command: "sh crypto isakmp his."
HIS active: 4
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 4IKE Peer: 217.xx.yy.zz
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEOn the 1841
1841 crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE1841 crypto ipsec #sh its
Interface: Dialer1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
current_peer 62.153.156.163 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
current outbound SPI: 0xB2E9E500 (3001672960)
PFS (Y/N): Y, Diffie-Hellman group: group2SAS of the esp on arrival:
SPI: 0 x 39135054 (957567060)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505068/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xB2E9E500 (3001672960)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4505118/1306)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.
Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto. (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.
I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!
It's the running of the 1841 configuration
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
host name 1841
!
boot-start-marker
start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
!
AAA - the id of the joint session
!
iomem 20 memory size
clock timezone PCTime 1
PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
dot11 syslog
IP source-route
!
No dhcp use connected vrf ip
!
IP cef
no ip bootp Server
IP domain name test
name of the IP-server 194.25.2.129
name of the IP-server 194.25.2.130
name of the IP-server 194.25.2.131
name of the IP-server 194.25.2.132
name of the IP-server 194.25.2.133
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
object-group network phone
VoIP phone description
Home 172.20.2.50
Home 172.20.2.51
!
redundancy
!
!
controller LAN 0/0/0
atm mode
Annex symmetrical shdsl DSL-mode B
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 62.aa.bb.cc
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to62.aa.bb.cc
the value of 62.aa.bb.cc peer
game of transformation-ESP-3DES-SHA
PFS group2 Set
match address 100
!
!
!
interface FastEthernet0/0
DMZ description $ FW_OUTSIDE$
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
Description $ETH - LAN$ $FW_INSIDE$
IP 172.20.2.254 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1412
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
No atm ilmi-keepalive
!
point-to-point interface ATM0/0/0.1
PVC 1/32
PPPoE-client dial-pool-number 1
!
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP mtu 1452
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 2
PPP authentication chap callin pap
PPP chap hostname xxxxxxx
PPP chap password 7 xxxxxxx8
PPP pap sent-name of user password xxxxxxx xxxxxxx 7
map SDM_CMAP_1 crypto
!
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
!
!
The dns server IP
IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
logging trap notifications
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 172.20.2.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 allow 10.10.10.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
Note CCP_ACL the access list 101 = 2 category
Note access-list 101 IPSec rule
access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 101 permit ip 172.20.2.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 2
Note access-list 102 IPSec rule
access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 101
!
allowed SDM_RMAP_2 1 route map
corresponds to the IP 102
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
length 0
transport input telnet ssh
!
Scheduler allocate 20000 1000
NTP-Calendar Update
NTP 172.20.2.250 Server prefer
endAs I mentioned previously: suspicion is much appreciated!
Best regards
Joerg
Joerg,
ASA receives not all VPN packages because IOS does not send anything.
Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)
The problem seems so on the side of the router.
I think that is a routing problem, but you only have one default gateway (no other channels on the router).
The ACL 100 is set to encrypt the traffic between the two subnets.
It seems that the ACL 101 is also bypassing NAT for VPN traffic.
Follow these steps:
Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.
I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.
Federico.
-
Site to Site VPN problem ASA 5505
Hello
I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.
For some reason, I can access the remote network of only two of the three internal networkls that I've specified.
Here is a copy of my config - if anyone has any info I would be happy of course.
Thank you
Kevin
FK - U host name. S. - Raleigh - ASA
domain appdrugs.com
activate 08PI8zPL2UE41XdH encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name Maridian-primary-Net 192.168.237.0
Meridian-backup-Net 192.168.237.128 name
name 10.239.192.141 AccessSwitch1IDFB
name 10.239.192.143 AccessSwitch1IDFC
name 10.239.192.140 AccessSwitch1MDFA
name 10.239.192.142 AccessSwitch2IDFB
name CiscoCallManager 10.195.64.206
name 10.239.192.2 CoreSwitch1
name 10.239.192.3 CoreSwitch2
name 10.195.64.17 UnityVM
name 140.239.116.162 Outside_Interface
name 65.118.69.251 Meridian-primary-VPN
name 65.123.23.194 Meridian_Backup_VPN
DNS-guard
!
interface Ethernet0/0
Shutdown
No nameif
security-level 100
no ip address
!
interface Ethernet0/1
nameif outside
security-level 60
address IP Outside_Interface 255.255.255.224
!
interface Ethernet0/2
nameif Inside1
security-level 100
IP 10.239.192.7 255.255.255.128
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 50
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
Disk0: / asa804.bin starting system
passive FTP mode
DNS domain-lookup outside
DNS domain-lookup Inside1
management of the DNS domain-lookup service
DNS server-group DefaultDNS
Server name 10.239.192.10
domain appdrugs.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the DM_INLINE_NETWORK_1 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.0
object-network 10.239.192.128 255.255.255.128
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_2 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_3 object-group network
network-object 10.195.64.0 255.255.255.192
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_5 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
the DM_INLINE_NETWORK_6 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
object-group network Vital-network-hardware-access
host of the object-Network UnityVM
host of the CiscoCallManager object-Network
host of the object-Network AccessSwitch1MDFA
host of the object-Network AccessSwitch1IDFB
host of the object-Network AccessSwitch2IDFB
host of the object-Network AccessSwitch1IDFC
host of the object-Network CoreSwitch1
host of the object-Network CoreSwitch2
object-group service RDP - tcp
EQ port 3389 object
the DM_INLINE_NETWORK_7 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
host of network-object Meridian-primary-VPN
host of the object-Network Meridian_Backup_VPN
the DM_INLINE_NETWORK_9 object-group network
host of the object-Network Outside_Interface
Group-object Vital-equipment-access to the network
object-group service DM_INLINE_SERVICE_2
will the service object
ESP service object
the purpose of the service ah
the eq isakmp udp service object
object-group service DM_INLINE_SERVICE_3
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_4 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_8 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
Outside_access_in list extended access permit icmp any any echo response
Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN of access allowed any ip an extended list
Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
pager lines 24
Enable logging
exploitation forest asdm warnings
Outside 1500 MTU
MTU 1500 Inside1
management of MTU 1500
mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (Inside1) 0-list of access Inside1_nat0_outbound
NAT (Inside1) 1 10.0.0.0 255.0.0.0
Access-group Outside_access_in in interface outside
Access-group Inside1_access_in in interface Inside1
Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 66.104.209.192 255.255.255.224 outside
http 192.168.1.0 255.255.255.0 management
http 10.239.172.0 255.255.252.0 Inside1
SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
location of Server SNMP Raleigh
contact Server SNMP Kevin mcdonald
Server SNMP community appfirestarter * #*.
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Server SNMP traps enable entity config change
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
card crypto Outside_map 1 peer set VPN-primary-Meridian
Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 1 defined security-association life seconds 28800
card crypto Outside_map 1 set security-association kilobytes of life 4608000
card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
card crypto Outside_map 2 set peer Meridian_Backup_VPN
map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
card crypto Outside_map 2 defined security-association life seconds 28800
card crypto Outside_map 2 set security-association kilobytes of life 4608000
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
tunnel-group-list activate
internal strategy of State civil-access to the network group
Group Policy attributes Vital access to the network
value of server DNS 10.239.192.10
value of VPN-filter Vital_VPN
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
value of remote access address pools
internal state civil-Site-to-Site-GroupPolicy group strategy
Civil-site-a-site-grouppolicy-strategie status of group attributes
value of VPN-filter Vital-Site-to-Site-access
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
username APPRaleigh encrypted password m40Ls2r9N918trxp
username APPRaleigh attributes
VPN-group-policy Vital-network access
type of remote access service
username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
tunnel-group 65.118.69.251 type ipsec-l2l
tunnel-group 65.118.69.251 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.118.69.251
pre-shared-key *.
tunnel-group 65.123.23.194 type ipsec-l2l
tunnel-group 65.123.23.194 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.123.23.194
pre-shared-key *.
remote access of type tunnel-group Vital access to the network
tunnel-group Vital access to the network general-attributes
Access to distance-address pool
Group Policy - by default-state civilian access to the network
tunnel-group Vital access to the network ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a080b1759b57190ba65d932785ad4967
: endcan you confirm if we have the exact reflection of crypto acl at the other end
I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network
can you please confirm that
also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0
-
site to site vpn with ASA 5500 series SSL?
We have routers DLink DIR - 130 5505 s ASA and PIXen, all work well with our PIX 515E, we need to replace.
We also have Internet satellite in two places. High latency makes IPsec VPN to DLinks on these very slow sites.
We were informed by HughesNet that a SSL VPN will mitigate some of the problems of latency.
However, we cannot use a VPN client for the biometric timeclocks in these places, the clocks need static IP addresses and are more or less "dumb terminals".
The machine of series 5000 ASA VPN site to site similar to OpenVPN or only the most comment client-server type SSL VPN connections?
Thank you, Tom
Hi Thomas,
The SSL VPN on ASAs feature is a client/server relationship where the remote computer can connect without client (browser) or clientbased (AnyConnect) to the ASA.
Federico.
-
Remote VPN site to site vpn on ASA?
Hello
I would like to know if it is possible to have this configuration with an ASA5510:
(1) - remote access VPN (access by the external interface)
(2) - site to site VPN (same access interface)
The goal: users of vpn (1) can access the server remote vpn (2) and vice versa.
Is it possible? and what is the best practice to do?
Thank you very much!
J.
Yes, you can do it.
Same-security-traffic command traffic to enter and leave the interface even when used with the
keyword intra-interface, that allows the VPN support has spoke-to-spoke.
Here are a few examples.
http://www.Cisco.com/en/us/products/ps6120/prod_configuration_examples_list.html
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807f9a89.shtml
PIX / ASA 7.X: Add a new Tunnel or remote access to an existing L2L VPN
PIX / ASA 7.x enhanced has spoken-to-Client VPN with the example of setting up authentication GANYMEDE +.
-
Hello world
The vendor name is implemented server in our environment.
We implement VPN site-to-site.
Subnet it is interesting traffic 192.168.50.x
Server IP 192.168.50.1 - Switch1 - ASA - Site to site VPN - provider ASA.
Gateway server is on switch1 if this server requires access to the internet I need to know what config I need on ASA on my site?
I want the server to access the internet through the provider network
Concerning
Mahesh
Hello
Your crypto ACL would be:
ip access-list VPN-TO-VENDOR permit ip 192.168.50.0 255.255.255.0 any
Cryptography providers ACL would be:ip acces-list VPN-TO-COMPANY permit ip any 192.168.50.0 255.255.255.0
All traffic from 192.168.50.0/24 out of the application interface map encryption for any destination would be sent to the seller through the VPN. It will be useful. -
site to site vpn - internal network even on both sides of the tunnel
Hi all
I have the following questions about the Site Site VPN using ASA 5510 and 5505
Scenerio is
1. we have five branches & headquarters
2. we want to establish a vpn between branches & Head Office (VPN from Site to Site)
3. all branches & head office using the same internal network (192.168.150.0 255.255.255.0)
My question is
How can I configure VPN site-to-site between branches & head office with the same internal network (192.168.150.0/24)
Please help me with the configuration steps & explanation
I have experience on setting up vpn site to site between branches with differnet internal network (for example: 192.168.1.0/24 and 192.168.2.0/24)
Waiting for your valuable response
Hello
Here are a few links on policy nat
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008046f31a.shtml#T10
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml
Concerning
-
fall of site to site vpn icmp packets
Hello
I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)
Instant topology is attached, also configs
Thank you
84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
10.20.20.5 icmp_seq = timeout 60
84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
10.20.20.5 icmp_seq = timeout 62
84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
10.20.20.5 icmp_seq = 64 timeout
84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 66
84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
10.20.20.5 icmp_seq = timeout 68
84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 70
84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
10.20.20.5 icmp_seq = timeout 72
84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 74
84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
10.20.20.5 icmp_seq = timeout 76
84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
10.20.20.5 icmp_seq = timeout 78R1 ipsec crypto #sh her
Interface: FastEthernet0/0
Tag crypto map: map, local addr 100.100.100.2protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
current_peer 100.100.100.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsciscoasa # sh crypto isakmp stats
Global statistics IKEv1
The active Tunnels: 1
Previous Tunnels: 1
In bytes: 1384
In the packages: 12
In packs of fall: 0
In Notifys: 8
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 1576
Packet: 13
Fall packages: 0
NOTIFYs out: 16
Exchanges of P2: 1
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 1
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0Hello
On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.
IP route 0.0.0.0 0.0.0.0 FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 100.100.100.1
HTH
"Please note the useful messages and mark the correct answer if it solves the problem."
-
asa himself through site to site vpn access server
Hello
I have problem with access to the servers through site to site vpn to ASA that makes this vpn site-to-site and Clientless VPN enablerd.
Reason why I need it / what I do:
ASA 5510 enabled Clientless VPN and on this Portal allows users to access internal servers through bookmars URL. We use it when someone wouldn't access IPSec VPN or in an internet café. If this user connects to clientless vpn and click on the bookmark to access for example mail server. But there is problem, asa cannot access this server through VPN site-to-site.
Network:
Here's a quick design of my network.
I don't have server access to the problem in the VLAN 159 of VLAN 10, or 100. But I need to be able to access the server in Vlan 159 of ASA 5510, who owns the IP 192.168.1.4.
I have this subnet ASA owned by FRONT-NAT object in the same place that VLAN 10 to 100 are and vpn Site-to-Site profile.
What I makeover or how can I solve it?
Thank you
Clientless VPN when accessing internal servers, it will use the closest to the source of the connection interface and if you connect to via clientless SSL VPN ASA5510 and need access ASA5505 LAN via the site to site VPN, the interface closest to the ASA5510 to ASA5505 LAN is ASA5510 outside interface, therefore, the vpn of site-to-site crypto ACL must match on ASA5510 outside the ip address of the interface.
Here's what you need on each ASA:
ASA5510:
permit same-security-traffic intra-interface
ip 192.168.159.0 external interface allowed access list 255.255.255.0
ASA5505:
ip 192.168.159.0 access list allow 255.255.255.0 host
In addition, also need to add the same ACL for access-list of exemptions on ASA5505 NAT:
ip 192.168.159.0 access list allow 255.255.255.0 host
Hope that helps.
-
connect dynamic auto of site to site VPN
Hi all, I need to configure a site to site vpn (cisco asa and router), but the connection to the remote router must be set to auto.
Can someone help me?
Thank you
All have two IP addresses static or is on a dynamic ip?
Please clarify what you mean by "auto".
-
% 7-ASA-710005: request TCP thrown error in the Client VPN Site to CISCO ASA 5510
Hi friends,
I am trying to built customer to site VPN CISCO ASA 5510 8.4 (4) and get error below when connecting to a cisco VPN client software. Also, I'm below ASA, log. Please help me to reslove.
Error in CISCO VPN Client software:
Secure VPN connection terminated locally by the client.
Reason: 414: unable to establish a TCP connection.
Error in CISCO ASA 5510
7-ASA-710005%: TCP request and eliminated from
49276 outward: 10000 The ASA configuration:
XYZ # sh run
: Saved
:
ASA Version 8.4 (4)
!
hostname XYZ
domain XYZ
activate the password encrypted 3uLkVc9JwRA1/OXb N3
activate the encrypted password of R/x90UjisGVJVlh2
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside_rim
security-level 0
IP 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
full duplex
nameif XYZ_DMZ
security-level 50
IP 172.1.1.1 255.255.255.248
!
interface Ethernet0/2
Speed 100
full duplex
nameif outside
security-level 0
IP address 2.2.2.2 255.255.255.252
!
interface Ethernet0/3
Speed 100
full duplex
nameif inside
security-level 100
IP 3.3.3.3 255.255.255.224
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa844 - k8.bin
passive FTP mode
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
Server name xx.xx.xx.xx
domain XYZ
network object obj - 172.17.10.3
Home 172.17.10.3
network object obj - 10.1.134.0
10.1.134.0 subnet 255.255.255.0
network object obj - 208.75.237.0
208.75.237.0 subnet 255.255.255.0
network object obj - 10.7.0.0
10.7.0.0 subnet 255.255.0.0
network object obj - 172.17.2.0
172.17.2.0 subnet 255.255.255.0
network object obj - 172.17.3.0
172.17.3.0 subnet 255.255.255.0
network object obj - 172.19.2.0
172.19.2.0 subnet 255.255.255.0
network object obj - 172.19.3.0
172.19.3.0 subnet 255.255.255.0
network object obj - 172.19.7.0
172.19.7.0 subnet 255.255.255.0
network object obj - 10.1.0.0
10.1.0.0 subnet 255.255.0.0
network object obj - 10.2.0.0
10.2.0.0 subnet 255.255.0.0
network object obj - 10.3.0.0
10.3.0.0 subnet 255.255.0.0
network object obj - 10.4.0.0
10.4.0.0 subnet 255.255.0.0
network object obj - 10.6.0.0
10.6.0.0 subnet 255.255.0.0
network object obj - 10.9.0.0
10.9.0.0 subnet 255.255.0.0
network object obj - 10.11.0.0
10.11.0.0 subnet 255.255.0.0
network object obj - 10.12.0.0
10.12.0.0 subnet 255.255.0.0
network object obj - 172.19.1.0
172.19.1.0 subnet 255.255.255.0
network object obj - 172.21.2.0
172.21.2.0 subnet 255.255.255.0
network object obj - 172.16.2.0
172.16.2.0 subnet 255.255.255.0
network object obj - 10.19.130.201
Home 10.19.130.201
network object obj - 172.30.2.0
172.30.2.0 subnet 255.255.255.0
network object obj - 172.30.3.0
172.30.3.0 subnet 255.255.255.0
network object obj - 172.30.7.0
172.30.7.0 subnet 255.255.255.0
network object obj - 10.10.1.0
10.10.1.0 subnet 255.255.255.0
network object obj - 10.19.130.0
10.19.130.0 subnet 255.255.255.0
network of object obj-XXXXXXXX
host XXXXXXXX
network object obj - 145.248.194.0
145.248.194.0 subnet 255.255.255.0
network object obj - 10.1.134.100
Home 10.1.134.100
network object obj - 10.9.124.100
Home 10.9.124.100
network object obj - 10.1.134.101
Home 10.1.134.101
network object obj - 10.9.124.101
Home 10.9.124.101
network object obj - 10.1.134.102
Home 10.1.134.102
network object obj - 10.9.124.102
Home 10.9.124.102
network object obj - 115.111.99.133
Home 115.111.99.133
network object obj - 10.8.108.0
10.8.108.0 subnet 255.255.255.0
network object obj - 115.111.99.129
Home 115.111.99.129
network object obj - 195.254.159.133
Home 195.254.159.133
network object obj - 195.254.158.136
Home 195.254.158.136
network object obj - 209.164.192.0
subnet 209.164.192.0 255.255.224.0
network object obj - 209.164.208.19
Home 209.164.208.19
network object obj - 209.164.192.126
Home 209.164.192.126
network object obj - 10.8.100.128
subnet 10.8.100.128 255.255.255.128
network object obj - 115.111.99.130
Home 115.111.99.130
network object obj - 10.10.0.0
subnet 10.10.0.0 255.255.0.0
network object obj - 115.111.99.132
Home 115.111.99.132
network object obj - 10.10.1.45
Home 10.10.1.45
network object obj - 10.99.132.0
10.99.132.0 subnet 255.255.255.0
the Serversubnet object-group network
object-network 10.10.1.0 255.255.255.0
network-object 10.10.5.0 255.255.255.192
the XYZ_destinations object-group network
object-network 10.1.0.0 255.255.0.0
object-network 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
object-network 10.12.0.0 255.255.0.0
object-network 172.19.1.0 255.255.255.0
object-network 172.19.2.0 255.255.255.0
object-network 172.19.3.0 255.255.255.0
object-network 172.19.7.0 255.255.255.0
object-network 172.17.2.0 255.255.255.0
object-network 172.17.3.0 255.255.255.0
object-network 172.16.2.0 255.255.255.0
object-network 172.16.3.0 255.255.255.0
host of the object-Network 10.50.2.206
the XYZ_us_admin object-group network
network-object 10.3.1.245 255.255.255.255
network-object 10.5.33.7 255.255.255.255
network-object 10.211.5.7 255.255.255.255
network-object 10.3.33.7 255.255.255.255
network-object 10.211.3.7 255.255.255.255
the XYZ_blr_networkdevices object-group network
object-network 10.200.10.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 145.248.194.0 255.255.255.0
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.21
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host 172.16.2.22
access list XYZ extended ip 10.19.130.0 allow 255.255.255.0 host XXXXXXXX
Access extensive list ip 10.19.130.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.159.133
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 195.254.158.136
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 any
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 209.164.192.0 255.255.224.0
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.208.19
Access extensive list ip 10.1.134.0 XYZ_PAT allow 255.255.255.0 host 209.164.192.126
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 208.75.237.0 255.255.255.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.7.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.17.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.2.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.3.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.7.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.1.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.3.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.4.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.6.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.9.0.0 255.255.0.0
Allow Access-list extended sheep 255.255.255.0 10.1.134.0 IP 10.11.0.0 255.255.0.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 10.12.0.0 255.255.0.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.19.1.0 255.255.255.0
IP 10.1.134.0 allow Access-list extended sheep 255.255.255.0 172.21.2.0 255.255.255.0
10.1.134.0 IP Access-list extended sheep 255.255.255.0 allow 172.16.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
access-list extended sheep allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
access-list extended sheep allowed ip object-group Serversubnet-group of objects XYZ_destinations
10.10.1.0 IP Access-list extended sheep 255.255.255.0 allow 10.2.0.0 255.255.0.0
10.19.130.0 IP Access-list extended sheep 255.255.255.0 allow host XXXXXXXX
IP 10.19.130.0 allow Access-list extended sheep 255.255.255.0 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.108.0 Guest_PAT allow 255.255.255.0 any
CACIB list extended access permitted ip 10.8.100.128 255.255.255.128 145.248.194.0 255.255.255.0
Access extensive list ip 10.8.100.128 Cacib_PAT allow 255.255.255.128 all
Access extensive list ip 10.1.134.0 New_Edge allow 255.255.255.0 208.75.237.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.7.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.7.0.0 255.255.0.0
Access extensive list ip 172.17.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.17.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.3.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.7.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.2.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.3.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.4.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list 10.6.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 10.9.0.0 XYZ_global allow 255.255.0.0 10.1.134.0 255.255.255.0
Allow XYZ_global to access extended list ip 10.11.0.0 255.255.0.0 10.1.134.0 255.255.255.0
Access extensive list 10.12.0.0 ip XYZ_global 255.255.0.0 allow 10.1.134.0 255.255.255.0
Access extensive list ip 172.19.1.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 172.21.2.0 XYZ_global allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.17.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.2.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.3.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.7.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.1.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.2.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.3.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.4.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.6.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.9.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.11.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 10.12.0.0 255.255.0.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.19.1.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.21.2.0 255.255.255.0
XYZ_global to access extended list ip 172.16.2.0 allow 255.255.255.0 10.1.134.0 255.255.255.0
Access extensive list ip 10.1.134.0 XYZ_global allow 255.255.255.0 172.16.2.0 255.255.255.0
Access extensive list ip 172.30.2.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.2.0 255.255.255.0
Access extensive list ip 172.30.3.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.3.0 255.255.255.0
Access extensive list ip 172.30.7.0 XYZ_global allow 255.255.255.0 host 10.19.130.201
XYZ_global list extended access allowed host ip 10.19.130.201 172.30.7.0 255.255.255.0
XYZ_global list extended access permitted ip object-group Serversubnet-group of objects XYZ_destinations
XYZ_global list extended access permitted ip object-group XYZ_destinations-group of objects Serversubnet
ML_VPN list extended access allowed host ip 115.111.99.129 209.164.192.0 255.255.224.0
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.208.19
permit access list extended ip host 115.111.99.129 ML_VPN 209.164.192.126
permit access list extended ip host 10.9.124.100 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.101 Da_VPN 10.125.81.88
permit access list extended ip host 10.9.124.102 Da_VPN 10.125.81.88
Da_VPN list extended access allowed host ip 10.9.124.100 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.101 10.125.81.0 255.255.255.0
Da_VPN list extended access allowed host ip 10.9.124.102 10.125.81.0 255.255.255.0
Sr_PAT to access extended list ip 10.10.0.0 allow 255.255.0.0 any
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.100 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.100 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.101 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.101 Da_Pd_VPN 10.125.86.46
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.80.64 255.255.255.192
Da_Pd_VPN list extended access allowed host ip 10.9.124.102 10.125.64.0 255.255.240.0
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.85.46
permit access list extended ip host 10.9.124.102 Da_Pd_VPN 10.125.86.46
Access extensive list ip 10.19.130.0 XYZ_reliance allow 255.255.255.0 145.248.194.0 255.255.255.0
access-list coextended permit ip host 2.2.2.2 XXXXXXXX
access-list coextended allow the host ip XXXXXXXXhost 2.2.2.2
permitted this access list extended ip 10.1.134.0 255.255.255.0 208.75.237.0 255.255.255.0
permitted this access list extended ip 208.75.237.0 255.255.255.0 10.1.134.0 255.255.255.0
access list acl-outside extended permit ip host 57.66.81.159 172.17.10.3
access list acl-outside extended permit ip host 80.169.223.179 172.17.10.3
access list acl-outside scope permit ip any host 172.17.10.3
access list acl-outside extended permitted tcp any host 10.10.1.45 eq https
access list acl-outside extended permit tcp any any eq 10000
access list acl-outside extended deny ip any any newspaper
pager lines 10
Enable logging
debug logging in buffered memory
outside_rim MTU 1500
MTU 1500 XYZ_DMZ
Outside 1500 MTU
Within 1500 MTU
IP pool local XYZ_c2s_vpn_pool 172.30.10.51 - 172.30.10.254
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 208.75.237.0 obj - 208.75.237.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.7.0.0 obj - 10.7.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.2.0 obj - 172.17.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.17.3.0 obj - 172.17.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.2.0 obj - 172.19.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.3.0 obj - 172.19.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.7.0 obj - 172.19.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.1.0.0 obj - 10.1.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.3.0.0 obj - 10.3.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.4.0.0 obj - 10.4.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.6.0.0 obj - 10.6.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.9.0.0 obj - 10.9.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.11.0.0 obj - 10.11.0.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 10.12.0.0 obj - 10.12.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.19.1.0 obj - 172.19.1.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.21.2.0 obj - 172.21.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.1.134.0 obj - 10.1.134.0 destination static obj - 172.16.2.0 obj - 172.16.2.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.2.0 obj - 172.30.2.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.3.0 obj - 172.30.3.0 no-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.201 obj - 10.19.130.201 destination static obj - 172.30.7.0 obj - 172.30.7.0 no-proxy-arp-search to itinerary
NAT (inside, all) static source Serversubnet Serversubnet XYZ_destinations XYZ_destinations non-proxy-arp-search of route static destination
NAT (inside, all) source static obj - 10.10.1.0 obj - 10.10.1.0 destination static obj - 10.2.0.0 obj - 10.2.0.0 non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj-XXXXXXXX XXXXXXXX - obj non-proxy-arp-search to itinerary
NAT (inside, all) source static obj - 10.19.130.0 obj - 10.19.130.0 destination static obj - 145.248.194.0 obj - 145.248.194.0 no-proxy-arp-search to itinerary
NAT source (indoor, outdoor), obj static obj - 10.1.134.100 - 10.9.124.100
NAT source (indoor, outdoor), obj static obj - 10.1.134.101 - 10.9.124.101
NAT source (indoor, outdoor), obj static obj - 10.1.134.102 - 10.9.124.102
NAT interface dynamic obj - 10.8.108.0 source (indoor, outdoor)
NAT (inside, outside) source dynamic obj - 10.19.130.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.159.133 obj - 195.254.159.133
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 195.254.158.136 obj - 195.254.158.136
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.0 obj - 209.164.192.0
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.208.19 obj - 209.164.208.19
NAT (inside, outside) source dynamic obj - 10.1.134.0 obj - 115.111.99.129 destination static obj - 209.164.192.126 obj - 209.164.192.126
NAT (inside, outside) source dynamic obj - 10.8.100.128 obj - 115.111.99.130
NAT (inside, outside) source dynamic obj - 10.10.0.0 obj - 115.111.99.132
NAT source (indoor, outdoor), obj static obj - 10.10.1.45 - 115.111.99.133
NAT (inside, outside) source dynamic obj - 10.99.132.0 obj - 115.111.99.129
!
network object obj - 172.17.10.3
NAT (XYZ_DMZ, outside) static 115.111.99.134
Access-group acl-outside in external interface
Route outside 0.0.0.0 0.0.0.0 115.111.23.129 1
Route outside 0.0.0.0 0.0.0.0 115.254.127.130 10
Route inside 10.10.0.0 255.255.0.0 10.8.100.1 1
Route inside 10.10.1.0 255.255.255.0 10.8.100.1 1
Route inside 10.10.5.0 255.255.255.192 10.8.100.1 1
Route inside 10.8.100.128 255.255.255.128 10.8.100.1 1
Route inside 10.8.108.0 255.255.255.0 10.8.100.1 1
Route inside 10.19.130.0 255.255.255.0 10.8.100.1 1
Route inside 10.99.4.0 255.255.255.0 10.99.130.254 1
Route inside 10.99.132.0 255.255.255.0 10.8.100.1 1
Route inside 10.1.134.0 255.255.255.0 10.8.100.1 1
Route outside 208.75.237.0 255.255.255.0 115.111.23.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn2
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn6
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn5
Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac vpn7
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn4
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn1
Crypto ipsec transform-set esp-aes-256 ikev1, esp-sha-hmac vpn_reliance
Crypto ipsec transform-set esp-3des esp-md5-hmac ikev1 c2s_vpn
86400 seconds, duration of life crypto ipsec security association
Crypto-map dynamic dyn1 ikev1 transform-set c2s_vpn 1 set
Crypto-map dynamic dyn1 1jeu reverse-road
card crypto vpn 1 corresponds to the address XYZ
card 1 set of peer XYZ Peer IP vpn crypto
1 set transform-set vpn1 ikev1 vpn crypto card
card crypto vpn 1 lifetime of security set association, 3600 seconds
card crypto vpn 1 set security-association life kilobytes 4608000
correspondence vpn crypto card address 2 DON'T
2 peer NE_Peer IP vpn crypto card game
2 set transform-set vpn2 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 2 set security-association
card crypto vpn 2 set security-association life kilobytes 4608000
card crypto vpn 4 corresponds to the address ML_VPN
card crypto vpn 4 set pfs
vpn crypto card game 4 peers ML_Peer IP
4 set transform-set vpn4 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 4 set - the security association
card crypto vpn 4 set security-association life kilobytes 4608000
vpn crypto card 5 corresponds to the address XYZ_global
vpn crypto card game 5 peers XYZ_globa_Peer IP
5 set transform-set vpn5 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 5 set - the security association
card 5 security-association life set vpn crypto kilobytes 4608000
vpn crypto card 6 corresponds to the address Da_VPN
vpn crypto card game 6 peers Da_VPN_Peer IP
6 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 6 set - the security association
card crypto vpn 6 set security-association life kilobytes 4608000
vpn crypto card 7 corresponds to the address Da_Pd_VPN
7 peer Da_Pd_VPN_Peer IP vpn crypto card game
7 set transform-set vpn6 ikev1 vpn crypto card
3600 seconds, duration of life card crypto vpn 7 set - the security association
card crypto vpn 7 set security-association life kilobytes 4608000
vpn outside crypto map interface
crypto map vpn_reliance 1 corresponds to the address XYZ_rim
card crypto vpn_reliance 1 set of peer XYZ_rim_Peer IP
card crypto 1 ikev1 transform-set vpn_reliance set vpn_reliance
vpn_reliance card crypto 1 lifetime of security set association, 3600 seconds
card crypto vpn_reliance 1 set security-association life kilobytes 4608000
card crypto vpn_reliance interface outside_rim
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
crypto isakmp identity address
No encryption isakmp nat-traversal
Crypto ikev1 enable outside_rim
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800
IKEv1 crypto policy 2
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 4
preshared authentication
aes-256 encryption
sha hash
Group 5
life 28000
IKEv1 crypto policy 5
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet 10.8.100.0 255.255.255.224 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
internal XYZ_c2s_vpn group strategy
username testadmin encrypted password oFJjANE3QKoA206w
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXXtype ipsec-l2l
tunnel-group XXXXXXXXipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group ipsec-attributes XXXXXXXX
IKEv1 pre-shared-key *.
type tunnel-group XYZ_c2s_vpn remote access
attributes global-tunnel-group XYZ_c2s_vpn
address pool XYZ_c2s_vpn_pool
IPSec-attributes tunnel-group XYZ_c2s_vpn
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
Review the ip options
!
global service-policy global_policy
level 3 privilege see the running-config command exec mode
logging of orders privilege see the level 3 exec mode
privilege see the level 3 exec mode command crypto
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:caa7476cd348ed89b95d37d4e3c9e1d8
: endXYZ #.
Good news
Follow these steps:
network object obj - 172.30.10.0_24
172.30.10.0 subnet 255.255.255.0
!
the LOCAL_NETWORKS_VPN object-group network
object-network 1.1.1.0 255.255.255.0
!
NAT (inside, outside) 1 static source LOCAL_NETWORKS_VPN destination LOCAL_NETWORKS_VPN static obj - 172.30.10.0_24 obj - 172.30.10.0_24 - route search
* Where 1.1.1.0/24 is the internal network that you want to reach through the tunnel.
Keep me posted.
Thank you.
Please note all messages that will be useful.
-
I set up a site to Site VPN using ASA 5505, but when I submit the order
"sh crypto ipsec his ' it says 'there are no ipsec security associations.
I have attached the configurations.
Hello
I saw you nat nat of entry (inside) 2-list of access limenat, would you change to, nat (inside) 0-list of access limenat. See which make all the difference.
Do you want to take a capture of packets when the remote IP address ping?
course list (Local subnet) host (remote subnet) host allowed access
Cap list of allowed access host host (remote subnet) (Local subnet)
Course access-list in hidden inside
Show Cap Hat
Now you can see the list of access capture
Debug crypto isakmp 200
Debug crypto ipsec 200
-
question links to site 2 site VPN with authentication cert
Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?
Thank you very much!
Hello
You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".
Please pass a note and mark as he corrected the post helpful!
David Castro,
Kind regards
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
Maybe you are looking for
-
Re: Unable to activate WLAN on Satellite C660
Hello My laptop model is "Satellite C660 psc0se" and I installed a * "windows 8 Cp" * " Everything is good, but the Wi - Fi is 'off' and when I try to run through the active buttons does not work? What is necessary to work, what is the driver to inst
-
HP keyboard model: KU-0841 with speed of typing issues
I have the same problems as a number if the desire X 2 users have in what I type so fast as the characters are jumbled. I recall, I used to be able to adjust the speed of response between my fingers and I have the keys could type faster - or maybe I
-
I received this email yesterday and it me freaked out - don't know if its true or not... PLEASE LET ME KNOW! Dear Member, Account alert Because of congestion in our Hotmail servers, there will be removal of all unused Hotmail accounts. You will n
-
Y at - it an easy way to have a version number that the code VI has access to, and which is used as the version number for the executable file and the installer builds? Now whenever I update my software I need to change the global variable where I st
-
I would like to receive comments about the downgrade from Windows 7 to Windows XP.
I recently asked HP (ny new computer mfgr) if they would replace 7 with XP. They sent me a new HP XP Professional x 64 edition recovery disk for free. Before installing it but I would like to ask if there is a history of problems caused by such a rep