Select Cisco ASA to replace Palo Alto PA 500

Hello world

Pls suggest a Cisco ASA (equivalent or superior) 5500 series to replace the PA500. Thank you

Palo Alto PA500

Firewall of 250 Mbit/s throughput (App - ID¹active)
100 Mbps threat prevention throughput
50 VPN IPSec Mbps throughput
64 000 max sessions
7 500 new sessions per second
Tunnels/tunnel VPN IPSec 250 interfaces
100 users, SSL VPN
3 virtual routers
Virtual systems (basic/max) N/A
20 security zones
1 000 maximum policies

Hi you can opt for the Asa 5510 or Asa 5520 two of them correspond to your needs. Here is a link to their characteristics http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-serie... Aditya cordially

Tags: Cisco Support

Similar Questions

Equivalent of Palo Alto Cisco ASA packet - trace

Hi all

Does anyone know if the 3020 Palo Alto boxes have a feature equivalent to the ASA Cisco Packet-trace?

Thank you very much

I used the cli command "test security-policy-match" that identifies the specific policy rule corresponds to a pair of source and destination traffic counter. You must ensure that you specify all of the fields (area, src/dst network, Protocol and ports.

L2l vpn with Firewall Palo Alto

I'm setting up a tunnel of l2l with a firewall of palo alto and evil. It is a fairly simple installation, we are traffic encryption public to the public for download of the side sftp asa. Here are the parts relevant to the config and various outputs... Remote admin side asserts that the phase 1 pass and we have a timeout of waiting for phase 2. Any help would be appreciated.

1.1.1.1 (customer2 destination address)
1.1.1.2 (customer2 vpn gateway)
2.2.2.0 (space local public ip)

description of CustomerVPN2 name 1.1.1.1 customer VPN2

Inside_nat0_outbound to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2
Outside_4_cryptomap to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2

card crypto Outside_map 4 corresponds to the address Outside_4_cryptomap
crypto map Outside_map 4 set type of connection are created only
card crypto Outside_map 4 set peer 1.1.1.2
card crypto Outside_map 4 the value transform-set ESP-AES-256-SHA

crypto ISAKMP policy 50
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

tunnel-group 1.1.1.2 type ipsec-l2l
1.1.1.2 tunnel-group ipsec-attributes
pre-shared-key *.

SH crypto isakmp (reviews listed as type: user)

8 peer IKE: 1.1.1.2
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2

Debug crypto ipsec (looks like he's trying all cryptographic cards except one)

IPSec (crypto_map_check): crypto Outside_map 1 hole card no match for ACL Outside_1_cryptomap.

IPSec (crypto_map_check): card crypto Outside_map 2 do not match for ACL Outside_2_cryptomap hole.

IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL Outside_3_cryptomap.

IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL OO_temp_Outside_map3.

and finally.

03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, removing counterpart peer table faile
d, no match!
03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, error: cannot delete PeerTblEntr

Hey Evo,

You asa public interface is the same as the public ip address that you are trying to encrypt?

I think you need to create a Nat policy that can be a private ip address as well and then use it as your side of interesting traffic, because the Admin in Palo Alto is right about the vpn route accordingly.

Here are some links for policy based Nat & paloalto side vpn screenshots and explanations.

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

http://www.danielelonghi.com/wp-content/uploads/2011/05/Howto-create-VPN-connection-between-JUNOS-and-paloalto.PDF

http://netsecinfo.blogspot.com/2008/02/route-based-VPNs-explained.html

Manish

Cisco ASA 55xx. Backup/restore an external certificate signed with ASDM

I have a Cisco ASA 5510, which is used for our VPN. It has an externally signed certs from Digicert. I replace the 5510 with a Cisco 5545 and wondered with ASDM can I save the cert of the 5510 and give the 5545. Or should I get an another reissued certs from Digicert and install from scratch. Is there something to look out for that set games with public/private keys, etc. Please let me know.

You guessed it right, Edwin

As long as you want just to maintain the certificate configuration, it is what you need to.
Make sure that you install the root and root under new ASA certificate as well as one can extract this PKCS12 certificate.

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

VLANS with Cisco ASA 5505 and non-Cisco switch

I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together. I can't grasp how VLANs (or at least how they should be put in place). When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

Currently on my ASA, I have the following VLAN configured...

outside - vlan11 - Port 0/0

inside - vlan1 - Port 0/1

dmz_ftp - vlan21 - Port 0/2

Port of Corp - vlan31 - 0/3

I need to do the same thing on my switch as well... On my way, I'm a little confused as to how I need to configure the VLAN. Below is the screenshot of web GUI...

Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1. I'm not sure how to in one place to tell my inner vlan (vlan1).

I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port. I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

So, how can I configure my inner Vlan1 on ports 1-8 on the switch? Do mark, UNTAG, autodetect them? What about tours? I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go. Is this the wrong logic?

Hi Arvo,

If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

For example, ASA I have:
```
interface Ethernet0/1
switchport access vlan 20
!
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
```
With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):
```
VLAN 20 - 0/1 = untagged
```
If instead you use a trunk port, the config would look like this:
```
interface Ethernet0/0
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Vlan10
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
```
Assuming that the ASA e0/0 port is connected to 0/1 on the switch):
```
VLAN 10 - 0/1 = tagged
VLAN 20 - 0/1 = tagged
```
Hope that helps.

-Mike

Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups. It works, but it works too well.

We have a group called XXX we need to have access to the Cisco AnyConnect Client. We have selected this group of our Active Directory and added to our ACS configuration. We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

We added XXX movies for the elements of the policy of access to the network-> authorization profiles. We also have a profile of YYY.

She continues to knock on our default Service rule that says allow all.

We have also created a default network access rule. for this.

I am at a loss. I'm sure I missed a checkbox or something.

Any help would be really appreciated.

Dwane

We use Protocol Management GANYMEDE ASA and Ray for VPN access?

For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

On the SAA, you must configure Ganymede and Ray both as a server group.

For the administration, you can set Ganymede as an external authentication under orders aaa Server

AAA-server protocol Ganymede GANYMEDE +.

Console HTTP authentication AAA GANYMEDE

Console Telnet AAA authentication RADIUS LOCAL

authentication AAA ssh console LOCAL GANYMEDE

Console to enable AAA authentication RADIUS LOCAL

For VPN, you must set the authentication radius under the tunnel-group.

I hope this helps.

Kind regards

Jousset

The rate of useful messages-

What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

Hi all

Can you please tell me which replace the VPN I can configure PPTP on ASA 5520 firewall. What VPN work as a PPTP vpn firewall CISCO-ASA-5520.

You can use the wizard VPN of RA with ASDM and confiugre L2TP IPSEC VPN that does not need a VPN Client must be installed.

Michael

Please note all useful posts

Cisco ASA 55XX Transparent mode through a VLAN

Hello team Cisco Forum!

In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?

Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).

Thank you in advanced for your support and comments!

Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution. The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.

To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2. Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4. Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.

So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7. you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands. Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.

--

Please do not forget to select a correct answer and rate useful posts

How to configure ASDM Cisco ASA 5505

I have a Cisco ASA 5505 firewall, and currently it is a command-line firewall. I want to configure ASDM so that I can use it as a Web based GUI interface.

I don't really know what to do. Can someone help me please how I can configure ASDM on my firewall.

Kind regards

Naushad Khan

Hi Naushad,

First of all, must load the image ASSDM on SAA and then use the command:

ASDM image dosk0: / asdm645.bin (if the image name is asdm645.bin)

then:

Enable http server

http 10.0.0.0 255.0.0.0 inside (if your machine is 10.0.0.0 subnet behind inside the inetrafce)

Go to the machine, open a browser and type:

https://

It will open the GUI.

Thank you

Varun

Please evaluate the useful messages.

Cisco ASA 5500 Series 4-Port GE SSM

Currently, we have 2 asa 5510 firewall and need to add the

Cisco ASA 5500 Series 4 - Port GE SSM extension module. Can it be added when the device is turned on and running or the firewall must be turned off to install the plug-in?

Hello

You could try to ask this question of the team of firewall, as this page from the community for the physical security and video surveillance. The team of firewall is located here:

https://supportforums.Cisco.com/community/NetPro/security/firewall

CSCux29978 - Cisco ASA IKEv1 and IKEv2 buffer overrun vulnerability - 1

Hello

im confused. In the Advisory secruity on this bug https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci...

He said not "affected" in the line of the main version of ASA 9.1. 9.1 is so affected by this bug and we need to upgrade to 9.1. (7) or not?

regarding

Christian

Hi Christian,

According to the chart, the only version not affected is code 8.5 9.1 code, you must update to 9.1.7 to be safe from this vulnerability.

Cisco ASA Major Release	First version fixed
7.2¹	Affected; migrate to 9.1 (7) or later version
8.2¹	Affected; migrate to 9.1 (7) or later version
8.3¹	Affected; migrate to 9.1 (7) or later version
8.4	8.4 (7.30)
8.5¹	Not affected
8.6¹	Affected; migrate to 9.1 (7) or later version
8.7	8.7 (1.18)
9.0	9.0 (4.38)
9.1	9.1 (7)
9.2	9.2 (4.5)
9.3	9.3 (3.7)
9.4	9.4 (2.4)
9.5	9.5 (2.2)

It may be useful

-Randy-

Cisco asa active multiple interfaces on a single switch without configuration of vlan switch.

I was wondering if there is a work around on cisco asa to have 2 interfaces vlan on a switch. The reason I ask I have a cisco asa 5505 and a dell switch that does not support the configuration of VLANs. I set up 2 interface vlan on a cisco asa and when two interfaces are active my internet drops frequently. I was wondering if there is nothing to configure the asa cisco to make this thing work. Thanks in advance...

Assuming that Dell switch at least linking several interfaces of the ASA to the Dell should translate all media spanning tree protocols, but a bet covering the tree blocking State to avoid a tree covering loop.

If the Dell does not support tree covering weight then you would be in very bad shape each broadcast packet would be will loop indefinitely and cause what we call a 'broadcast storm. "

One way is not good and the other real harm.

Cisco ASA Cisco 831 routing static. help with ACL, maybe?

Hi all

What should be a simple task turns out to be difficult and I really need help.

The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.

OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.

I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.

The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.

On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.

I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL

Thank you. :)

Thus, all traffic between these two LANs will travel on ASA, on the same interface.
Then please add this command in the global configuration of the ASA:
permit same-security-traffic intra-interface

Cisco ASA 5505 VPN Site to Site

Hi all

First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

I'd appreciate any help that can be directed to this problem please. Slowly losing my mind

Please see details below:

Two ADMS are 7.1

IOS

ASA 1

Nadia

:

ASA Version 9.0 (1)

!

hostname PAYBACK

activate the encrypted password of HSMurh79NVmatjY0

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

2KFQnbNIdI.2KYOU encrypted passwd

names of

local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

link Trunk Description of SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

nameif outside

security-level 0

IP 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

address 192.168.20.1 255.255.255.0

!

Vlan30 interface

nameif printers

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

192.168.40.1 IP address 255.255.255.0

!

connection line banner welcome to the Payback loyalty systems

boot system Disk0: / asa901 - k8.bin

passive FTP mode

summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

domain-lookup DNS servers

DNS lookup domain printers

DNS domain-lookup wireless

DNS server-group DefaultDNS

Server name 83.147.160.2

Server name 83.147.160.130

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

ftp_server network object

network of the Internal_Report_Server object

Home 192.168.20.21

Description address internal automated report server

network of the Report_Server object

Home 89.234.126.9

Description of server automated reports

service object RDP

service destination tcp 3389 eq

Description RDP to the server

network of the Host_QA_Server object

Home 89.234.126.10

Description QA host external address

network of the Internal_Host_QA object

Home 192.168.20.22

host of computer virtual Description for QA

network of the Internal_QA_Web_Server object

Home 192.168.20.23

Description Web Server in the QA environment

network of the Web_Server_QA_VM object

Home 89.234.126.11

Server Web Description in the QA environment

service object SQL_Server

destination eq 1433 tcp service

network of the Demo_Server object

Home 89.234.126.12

Description server set up for the product demo

network of the Internal_Demo_Server object

Home 192.168.20.24

Internal description of the demo server IP address

network of the NETWORK_OBJ_192.168.20.0_24 object

subnet 192.168.20.0 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_26 object

255.255.255.192 subnet 192.168.50.0

network of the NETWORK_OBJ_192.168.0.0_16 object

Subnet 192.168.0.0 255.255.0.0

service object MSSQL

destination eq 1434 tcp service

MSSQL port description

VPN network object

192.168.50.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_24 object

192.168.50.0 subnet 255.255.255.0

service object TS

tcp destination eq 4400 service

service of the TS_Return object

tcp source eq 4400 service

network of the External_QA_3 object

Home 89.234.126.13

network of the Internal_QA_3 object

Home 192.168.20.25

network of the Dev_WebServer object

Home 192.168.20.27

network of the External_Dev_Web object

Home 89.234.126.14

network of the CIX_Subnet object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_84.39.233.50 object

Home 84.39.233.50

network of the NETWORK_OBJ_92.51.193.158 object

Home 92.51.193.158

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

the tcp destination eq ftp service object

the purpose of the tcp destination eq netbios-ssn service

the purpose of the tcp destination eq smtp service

service-object TS

the Payback_Internal object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

service-object TS

service-object, object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object RDP

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

object-group service DM_INLINE_SERVICE_5

purpose purpose of the MSSQL service

service-object RDP

service-object TS

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_6

service-object TS

service-object, object TS_Return

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

Note to outside_access_in to access list that this rule allows Internet the interal server.

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-list of FTP access

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list of SMTP access

Note to outside_access_in to access list Net Bios

Comment from outside_access_in-SQL access list

Comment from outside_access_in-list to access TS - 4400

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

access host access-list outside_access_in note rule internal QA

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

Notice on the outside_access_in of the access-list access to the internal Web server:

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

Note to outside_access_in to access list rule allowing access to the demo server

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list to access MSSQL

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

Note to outside_access_in access to the development Web server access list

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

Enable logging

information recording console

asdm of logging of information

address record

[email protected] / * /.

the journaling recipient

[email protected] / * /.

level alerts

Outside 1500 MTU

Within 1500 MTU

MTU 1500 servers

MTU 1500 printers

MTU 1500 wireless

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (wireless, outdoors) source Dynamics one interface

NAT (servers, outside) no matter what source dynamic interface

NAT (servers, external) static source Internal_Report_Server Report_Server

NAT (servers, external) static source Internal_Host_QA Host_QA_Server

NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

NAT (servers, external) static source Internal_Demo_Server Demo_Server

NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

NAT (servers, external) static source Internal_QA_3 External_QA_3

NAT (servers, external) static source Dev_WebServer External_Dev_Web

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0

dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0 (1)

!

Payback-CIX hostname

activate the encrypted password of HSMurh79NVmatjY0

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Description this port connects to the local network VIRTUAL 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

IP 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

IP 192.168.100.1 address 255.255.255.0

!

banner welcome to Payback loyalty - CIX connection line

passive FTP mode

summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

DNS server-group defaultDNS

Name-Server 8.8.8.8

Server name 8.8.4.4

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the host-CIX-1 object

host 192.168.100.2

Description This is the VM server host machine

network object host-External_CIX-1

Home 84.39.233.51

Description This is the external IP address of the server the server VM host

service object RDP

source between 1-65535 destination eq 3389 tcp service

network of the Payback_Office object

Home 92.51.193.158

service object MSQL

destination eq 1433 tcp service

network of the Development_OLTP object

Home 192.168.100.10

Description for Eiresoft VM

network of the External_Development_OLTP object

Home 84.39.233.52

Description This is the external IP address for the virtual machine for Eiresoft

network of the Eiresoft object

Home 146.66.160.70

Contractor s/n description

network of the External_TMC_Web object

Home 84.39.233.53

Description Public address to the TMC Web server

network of the TMC_Webserver object

Home 192.168.100.19

Internal description address TMC Webserver

network of the External_TMC_OLTP object

Home 84.39.233.54

External targets OLTP IP description

network of the TMC_OLTP object

Home 192.168.100.18

description of the interal target IP address

network of the External_OLTP_Failover object

Home 84.39.233.55

IP failover of the OLTP Public description

network of the OLTP_Failover object

Home 192.168.100.60

Server failover OLTP description

network of the servers object

subnet 192.168.20.0 255.255.255.0

being Wired network

192.168.10.0 subnet 255.255.255.0

the subject wireless network

192.168.40.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the Eiresoft_2nd object

Home 137.117.217.29

Description 2nd Eiresoft IP

network of the Dev_Test_Webserver object

Home 192.168.100.12

Description address internal to the Test Server Web Dev

network of the External_Dev_Test_Webserver object

Home 84.39.233.56

Description This is the PB Dev Test Webserver

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_2

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_3

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_4

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_5

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_6

service-object MSQL

service-object RDP

the Payback_Intrernal object-group network

object-network servers

Wired network-object

wireless network object

object-group service DM_INLINE_SERVICE_7

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_8

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_9

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_10

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_11

service-object RDP

the tcp destination eq ftp service object

outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

Note to access list OLTP Development Office of recovery outside_access_in

outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

Comment from outside_access_in-access Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

Note to outside_access_in access to OLTP for target recovery Office Access list

outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

Note to outside_access_in access from the 2nd IP Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

NAT (inside, outside) static source Development_OLTP External_Development_OLTP

NAT (inside, outside) static source TMC_Webserver External_TMC_Web

NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 92.51.193.156 255.255.255.252 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Hello

There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

Here are a few suggestions on what to change

ASA1

Minimal changes

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

being REMOTE-LAN network

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

Other suggestions

These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

PAT-SOURCE network object-group

source networks internal PAT Description

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

no nat (wireless, outdoors) source Dynamics one interface

no nat (servers, outside) no matter what source dynamic interface

The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

network of the SERVERS object

subnet 192.168.20.0 255.255.255.0

network of the VPN-POOL object

192.168.50.0 subnet 255.255.255.0

NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

ASA2

Minimal changes

the object of the LAN network

255.255.255.0 subnet 192.168.100.0

being REMOTE-LAN network

192.168.10.0 subnet 255.255.255.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM.

Other suggestions

PAT-SOURCE network object-group

object-network 192.168.100.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

Hope this makes any sense and has helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Cisco ASA 5510 + license + AIP - SSM

Hello.

I have this box.

I have a few questions about it.

(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

Please help me.

(1) you must Smartnet in order to download the software from the download from cisco.com site.

(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

(3) Yes, the basic license is OK for the AIP module.

(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

Hope that answers your questions.

Select Cisco ASA to replace Palo Alto PA 500

Similar Questions

Maybe you are looking for