Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

Similar Questions

• Cisco asa 5505 and centos VPN server connection

  Hi all

  Please I want to set up a VPN between Cisco asa 5505 and centos server.

  Here's my senerio

  -------------------------

  ASA 5505

  Public IP 155.155.155.2

  Local NETWORK: 192.168.6.X

  CentOS Server

  ------------------

  Public ip address: 155.155.155.6

  Thank you guys

  Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

  If the remote access, here are the sample configuration:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

• EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure

  Hi friends,

  I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas?

  Please find below the exit of 881 router Cisco:

  YF2_Tbilisi_router #.
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
  * 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL)
  * 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
  * 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
  * 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
  * 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
  * 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
  * 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:31:47.805 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
  * 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
  * 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
  * 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
  * 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
  * 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
  * 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
  * 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
  * 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  * 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA

  * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0
  * 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.

  * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
  * 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
  * 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
  * 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
  * 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
  * 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
  * 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
  * 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
  * 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
  * 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
  * 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
  * 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
  * 09:32:48.913 4 August: ISAKMP (0): payload ID
  next payload: 13
  type: 11
  Group ID: Youth_Facility_2
  Protocol: 17
  Port: 0
  Length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
  * 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
  * 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1

  * 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange
  * 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
  * 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
  * 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
  * 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
  * 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
  * 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
  * 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
  * 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.

  There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved.

  The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who?

• Cisco Asa 5505 and level 3 with remote access VPN switch

  Today I had a new CISCO LAYER 3 switch... So here's my scenrio

  Cisco Asa 5505

  I have

  Outside of the == 155.155.155.x

  Inside = 192.168.7.1

  Address POOL VPN = 10.10.10.1 - 10.10.10.20

  3 layer switch configuration

  VLAN 2

  ip address of the interface = 192.168.1.1

  VLAN 2

  ip address of the interface = 192.168.2.1

  VLAN 2

  ip address of 192.168.3.1 = interface

  VLAN 2

  ip address of the interface = 192.168.4.1

  VLAN 2

  ip address of the interface = 192.168.5.1

  IP Routing

  So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip

  Thanks to you all

  Al ready has responded

  Sent by Cisco Support technique iPad App

• L2l between an ASA 5505 and WatchGuard XTM330 with dynamic IP

  Hi guys,.

  I looked for a solution on this one but can't find inappropriate, most of the discussions were old and with dead links to the solution.

  We have an ASA 5505 with static IP address on the outside and a customer who have a WatchGuard XTM330 with dynamic IP address to the outside.

  Is it possible to have an L2L VPN between our ASA and the WatchGuard when he has a dynamic IP?

  I have no experience on the series of WatchGuard,

  so, I am very grateful for any answer!

  Thanks in advance and have a nice day

  BR

  Robin

  Hi Robin,

  Here are the links you can make reference when configuring static to the dynamic VPN tunnel: -.
  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112075-dynamic-IPSec-ASA-router-CCP.html

  This one is with Pix on the remote side, but the configuration will remain the same on the local side: -.
  http://www.WatchGuard.com/docs/4-6-Firebox-CiscoPix.PDF

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• VLANS with Cisco ASA 5505 and non-Cisco switch

  I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together.  I can't grasp how VLANs (or at least how they should be put in place).  When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

  Currently on my ASA, I have the following VLAN configured...

  outside - vlan11 - Port 0/0

  inside - vlan1 - Port 0/1

  dmz_ftp - vlan21 - Port 0/2

  Port of Corp - vlan31 - 0/3

  I need to do the same thing on my switch as well...  On my way, I'm a little confused as to how I need to configure the VLAN.  Below is the screenshot of web GUI...

  

  Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

  Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1.  I'm not sure how to in one place to tell my inner vlan (vlan1).

  I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port.  I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

  So, how can I configure my inner Vlan1 on ports 1-8 on the switch?  Do mark, UNTAG, autodetect them?  What about tours?  I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go.  Is this the wrong logic?

  Hi Arvo,

  If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

  To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

  For example, ASA I have:

  interface Ethernet0/1
  switchport access vlan 20
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):

  VLAN 20 - 0/1 = untagged

  If instead you use a trunk port, the config would look like this:

  interface Ethernet0/0
  switchport trunk allowed vlan 10,20
  switchport mode trunk
  !
  interface Vlan10
  nameif outside
  security-level 0
  ip address dhcp setroute
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  Assuming that the ASA e0/0 port is connected to 0/1 on the switch):

  VLAN 10 - 0/1 = tagged
  VLAN 20 - 0/1 = tagged
  

  Hope that helps.

  -Mike

• ASA 5505 - I can't create an IPSEC VPN between two ASA 5505

  Hello

  I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:

  1 Configure ASA-1 (host name, vlan 1 and vlan 2).

  2. configure a static route

  3. create object network (local and remote)

  4. create the access list

  5. create ikev1 crypto

  6. create tunnel-group

  7 Configure nat

  and I repeat the steps above with the ASA but another change IP.

  Are to correct the above steps?

  Why can I not create an IPSEC VPN between devices?.

  No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.

• Client VPN und Cisco asa 5505 tunnel work but no traffic

  Hi all

  I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists.

  I have the following problem:

  I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn.

  To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network.

  Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client.

  After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network.

  I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic).

  What I did wrong. Could someone let me know what I have to do today.

  With hope for your help Dimitri.

  ASA configuration after reset and basic configuration: works to the Internet from within the course.

  : Saved

  : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010

  !

  ASA Version 8.2 (2)

  !

  ciscoasa hostname

  activate 2KFQnbNIdI.2KYOU encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE client vpdn group home

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  boot system Disk0: / asa822 - k8.bin

  passive FTP mode

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  Server name 194.25.0.60

  Server name 194.25.0.68

  DM_INLINE_TCP_1 tcp service object-group

  port-object eq www

  EQ object of the https port

  inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session

  inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session

  inside_access_in list extended access deny ip any any debug log

  inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0

  permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128

  homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  Outside 1500 MTU

  Within 1500 MTU

  IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location 192.168.0.0 255.255.0.0 inside

  ASDM location 192.168.10.0 255.255.255.0 inside

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  inside_access_in access to the interface inside group

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group home request dialout pppoe

  VPDN group House localname 04152886790

  VPDN group House ppp authentication PAP

  VPDN username 04152886790 password 1

  dhcpd outside auto_config

  !

  dhcpd address 192.168.1.5 - 192.168.1.36 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  TFTP server 192.168.1.5 inside c:/tftp-root

  WebVPN

  Group Policy inner residential group

  attributes of the strategy of group home group

  value of 192.168.1.1 DNS server

  Protocol-tunnel-VPN IPSec

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list homegroup_splitTunnelAcl

  username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn

  user01 username attributes

  VPN-strategy group home group

  tunnel-group home group type remote access

  attributes global-tunnel-group home group

  address homepool pool

  Group Policy - by default-homegroup

  tunnel-group group residential ipsec-attributes

  pre-shared-key ciscotest

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb

  : end

  Hello

  Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time).

  If you connect via VPN, check the following:

  1. the tunnel is established:

  HS cry isa his

  Must say QM_IDLE or MM_ACTIVE

  2 traffic is flowing (encrypted/decrypted):

  HS cry ips its

  3. Enter the command:

  management-access inside

  And check if you can PING the inside ASA VPN client IP.

  4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients).

  Federico.

• AnyConnect VPN for Cisco ASA 5505 refused connections

  I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

  interface Vlan2
  
      mac-address xxxx.xxxx.xxxx
  
      nameif outside
  
      security-level 0
  
      ip address A.A.A.A 255.255.255.240
  
      !
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq www
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
  
      access-list outside_access_in extended permit icmp any any
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
  
      access-list outside_access_in extended permit gre any host C.C.C.C
  
      access-list outside_access_out extended permit ip any any
  
      access-list inside_access_in extended permit ip any any
  
      access-list inside_access_in extended permit ip any interface outside
  
      access-list inside_access_out extended permit ip any any
  access-group inside_access_in in interface inside
  
      access-group inside_access_out out interface inside
  
      access-group outside_access_in in interface outside
  
      access-group outside_access_out out interface outside
  webvpn
  
      enable inside
  
      enable outside
  
      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  
      svc enable
  group-policy DfltGrpPolicy attributes
  
      dns-server value X.X.X.X
  
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value
  
      address-pools value palm
  
      webvpn
  
        svc rekey time 30
  
        svc rekey method ssl
  
        svc ask enable default webvpn
  policy-map global_policy
  
      class inspection_default
  
        inspect pptp
  
        inspect http
  
        inspect icmp
  
        inspect ftp
  
      !
  

  When I try to connect, I get this error in the real-time log viewer:

  TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
  

  Here are the details of the license:

  Licensed features for this platform:
  
      Maximum Physical Interfaces  : 8
  
      VLANs                        : 3, DMZ Restricted
  
      Inside Hosts                 : Unlimited
  
      Failover                     : Disabled
  
      VPN-DES                      : Enabled
  
      VPN-3DES-AES                 : Enabled
  
      SSL VPN Peers                : 2
  
      Total VPN Peers              : 10
  
      Dual ISPs                    : Disabled
  
      VLAN Trunk Ports             : 0
  
      Shared License               : Disabled
  
      AnyConnect for Mobile        : Disabled
  
      AnyConnect for Linksys phone : Disabled
  
      AnyConnect Essentials        : Disabled
  
      Advanced Endpoint Assessment : Disabled
  
      UC Phone Proxy Sessions      : 2
  
      Total UC Proxy Sessions      : 2
  
      Botnet Traffic Filter        : Disabled
  This platform has a Base license.
  

  Can someone tell me what I am doing wrong or what access list I'm missing?

  I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

  Hi Matt,

  You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

  WebVPN

  tunnel-group-list activate

  Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

  HTH

  Herbert

• IPSec VPN between Cisco ASA and Fortigate1000

  Hello

  I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

  the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

  The question is: How do I configure the interface on the SAA ACCORD?

  Thanks in advance, Experts...

  Kind regards...

  ASA firewall does not support the interface/GRE GRE tunnel.

  If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

  If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

  Hope that helps.

• Cisco ASA 5505 and comodo SSL certificate

  Hey all,.

  I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green.

  Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com.

  On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.

  What I'm missing here? I can post config if anyone needs.

  (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2))

  Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out.

  Thank you

  Bad Boy

• Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

  Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

  Thank you

  GM

  Hello

  Please check the config below:

  HUBS:

  crypto ISAKMP policy 1
  

   BA 3des
  md5 hash
  preshared authentication
  Group 2
  life 86400
  crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
  Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
  TUN1 extended IP access list
  ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  TUN2 extended IP access list
  ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  Create your strategy to Phase 2
  Crypto ipsec transform-set esp-3des esp-md5-hmac TS
  card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
  crypto dynamic-map HUB_TUN 10
  

  86400 seconds, life of security association set

  game of transformation-TS

  match address TUN1

  !

  crypto dynamic-map HUB_TUN 11

  86400 seconds, life of security association set

  game of transformation-TS

  match address TUN2
  Now apply the card encryption to your WAN interface
  gi0/1 interface
  card crypto S2STUN
  Now configure on your remote routers
  Remote router 1
  crypto ISAKMP policy 1
  BA 3des

  md5 hash

  preshared authentication

  Group 2

  life 86400

  !

  ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)

  !

  TUNNEL TRAFFIC extended IP access list

  permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

  !

  Crypto ipsec transform-set esp-3des esp-md5-hmac TS

  !

  crypto card TUN_TO_HUB 10 ipsec-isakmp

  defined peer x.x.x.x (replace with your public ip address of the hub)

  game of transformation-TS

  match address TRAFFIC TUNNEL
  !

  gi0/1 interface

  card crypto TUN_TO_HUB

  Remote router 2

  crypto ISAKMP policy 1
  
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  life 86400
  !
  ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
  !
  TUNNEL TRAFFIC extended IP access list
  ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac TS
  !
  crypto card TUN_TO_HUB 10 ipsec-isakmp
  defined peer x.x.x.x (replace with your public ip address of the hub)
  game of transformation-TS
  match address TRAFFIC TUNNEL
  !
  gi0/1 interface
  card crypto TUN_TO_HUB
  HTH.
  Evaluate the useful ticket.
  Kind regards
  Terence

• Cisco ASA 5505 site for multiple subnet of the site.

  Hello. I need help to configure my cisco asa 5505.

  I set up a VPN between two ASA 5505 tunnel

  Site 1:

  Subnet 192.168.77.0

  Site 2:

  Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

  What I need help:

  Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

  And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

  Vlan480 is used for phones. In vlan480, we have a PABX.

  Is this possible to do?

  Any help would be much appreciated!

  Config site 2:

  : Saved

  :

  ASA Version 7.2 (2)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  names of

  name 192.168.1.250 DomeneServer

  name of 192.168.1.10 NotesServer

  name 192.168.1.90 Steadyily

  name 192.168.1.97 TerminalServer

  name 192.168.1.98 eyeshare w8

  name 192.168.50.10 w8-print

  name 192.168.1.94 w8 - app

  name 192.168.1.89 FonnaFlyMedia

  !

  interface Vlan1

  nameif Vlan1

  security-level 100

  IP 192.168.200.100 255.255.255.0

  OSPF cost 10

  !

  interface Vlan2

  nameif outside

  security-level 0

  IP address 79.x.x.226 255.255.255.224

  OSPF cost 10

  !

  interface Vlan400

  nameif vlan400

  security-level 100

  IP 192.168.1.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan450

  nameif Vlan450

  security-level 100

  IP 192.168.210.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan460

  nameif Vlan460-SuldalHotell

  security-level 100

  IP 192.168.2.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan461

  nameif Vlan461-SuldalHotellGjest

  security-level 100

  address 192.168.3.1 IP 255.255.255.0

  OSPF cost 10

  !

  interface Vlan462

  Vlan462-Suldalsposten nameif

  security-level 100

  192.168.4.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan470

  nameif vlan470-Kyrkjekontoret

  security-level 100

  IP 192.168.202.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan480

  nameif vlan480 Telefoni

  security-level 100

  address 192.168.20.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan490

  nameif Vlan490-QNapBackup

  security-level 100

  IP 192.168.10.1 255.255.255.0

  OSPF cost 10

  !

  interface Vlan500

  nameif Vlan500-HellandBadlands

  security-level 100

  192.168.30.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan510

  Vlan510-IsTak nameif

  security-level 100

  192.168.40.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Vlan600

  nameif Vlan600-SafeQ

  security-level 100

  192.168.50.1 IP address 255.255.255.0

  OSPF cost 10

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  switchport access vlan 500

  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

  switchport mode trunk

  !

  interface Ethernet0/3

  switchport access vlan 490

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passwd encrypted x

  passive FTP mode

  clock timezone WAT 1

  DNS server-group DefaultDNS

  domain default.domain.invalid

  permit same-security-traffic inter-interface

  permit same-security-traffic intra-interface

  Lotus_Notes_Utgaaande tcp service object-group

  UT og Frim Notes Description til alle

  area of port-object eq

  port-object eq ftp

  port-object eq www

  EQ object of the https port

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ pptp Port object

  EQ smtp port object

  Lotus_Notes_inn tcp service object-group

  Description of the inn og alle til Notes

  port-object eq www

  port-object eq lotusnotes

  EQ Port pop3 object

  EQ smtp port object

  object-group service Reisebyraa tcp - udp

  3702 3702 object-port Beach

  5500 5500 object-port Beach

  range of object-port 9876 9876

  object-group service Remote_Desktop tcp - udp

  Description Tilgang til Remote Desktop

  3389 3389 port-object range

  object-group service Sand_Servicenter_50000 tcp - udp

  Description program tilgang til sand service AS

  object-port range 50000 50000

  VNC_Remote_Admin tcp service object-group

  Description Fra ¥ oss til alle

  5900 5900 port-object range

  object-group service Printer_Accept tcp - udp

  9100 9100 port-object range

  port-object eq echo

  ICMP-type of object-group Echo_Ping

  echo ICMP-object

  response to echo ICMP-object

  object-group service Print tcp

  9100 9100 port-object range

  FTP_NADA tcp service object-group

  Suldalsposten NADA tilgang description

  port-object eq ftp

  port-object eq ftp - data

  Telefonsentral tcp service object-group

  Hoftun description

  port-object eq ftp

  port-object eq ftp - data

  port-object eq www

  EQ object of the https port

  port-object eq telnet

  Printer_inn_800 tcp service object-group

  Fra 800 thought-out og inn til 400 port 7777 description

  range of object-port 7777 7777

  Suldalsposten tcp service object-group

  Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

  EQ Port pop3 object

  EQ smtp port object

  http2 tcp service object-group

  Beach of port-object 81 81

  object-group service DMZ_FTP_PASSIVE tcp - udp

  55536 56559 object-port Beach

  object-group service DMZ_FTP tcp - udp

  20 21 object-port Beach

  object-group service DMZ_HTTPS tcp - udp

  Beach of port-object 443 443

  object-group service DMZ_HTTP tcp - udp

  8080 8080 port-object range

  DNS_Query tcp service object-group

  of domain object from the beach

  object-group service DUETT_SQL_PORT tcp - udp

  Description for a mellom andre og duett Server nett

  54659 54659 object-port Beach

  outside_access_in of access allowed any ip an extended list

  outside_access_out of access allowed any ip an extended list

  vlan400_access_in list extended access deny ip any host 149.20.56.34

  vlan400_access_in list extended access deny ip any host 149.20.56.32

  vlan400_access_in of access allowed any ip an extended list

  Vlan450_access_in list extended access deny ip any host 149.20.56.34

  Vlan450_access_in list extended access deny ip any host 149.20.56.32

  Vlan450_access_in of access allowed any ip an extended list

  Vlan460_access_in list extended access deny ip any host 149.20.56.34

  Vlan460_access_in list extended access deny ip any host 149.20.56.32

  Vlan460_access_in of access allowed any ip an extended list

  vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

  vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

  vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

  vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

  vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

  vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

  vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

  Vlan500_access_in list extended access deny ip any host 149.20.56.34

  Vlan500_access_in list extended access deny ip any host 149.20.56.32

  Vlan500_access_in of access allowed any ip an extended list

  vlan470_access_in list extended access deny ip any host 149.20.56.34

  vlan470_access_in list extended access deny ip any host 149.20.56.32

  vlan470_access_in of access allowed any ip an extended list

  Vlan490_access_in list extended access deny ip any host 149.20.56.34

  Vlan490_access_in list extended access deny ip any host 149.20.56.32

  Vlan490_access_in of access allowed any ip an extended list

  Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan1_access_out of access allowed any ip an extended list

  Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan1_access_out deny ip extended access list a whole

  Vlan1_access_out list extended access permit icmp any any echo response

  Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

  Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

  Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

  Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan480_access_out of access allowed any ip an extended list

  Vlan510_access_in of access allowed any ip an extended list

  Vlan600_access_in of access allowed any ip an extended list

  Vlan600_access_out list extended access permit icmp any one

  Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

  Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

  Vlan600_access_in_1 of access allowed any ip an extended list

  Vlan461_access_in of access allowed any ip an extended list

  Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

  vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

  access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

  access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

  pager lines 24

  Enable logging

  asdm of logging of information

  MTU 1500 Vlan1

  Outside 1500 MTU

  vlan400 MTU 1500

  MTU 1500 Vlan450

  MTU 1500 Vlan460-SuldalHotell

  MTU 1500 Vlan461-SuldalHotellGjest

  vlan470-Kyrkjekontoret MTU 1500

  MTU 1500 vlan480-Telefoni

  MTU 1500 Vlan490-QNapBackup

  MTU 1500 Vlan500-HellandBadlands

  MTU 1500 Vlan510-IsTak

  MTU 1500 Vlan600-SafeQ

  MTU 1500 Vlan462-Suldalsposten

  no failover

  Monitor-interface Vlan1

  interface of the monitor to the outside

  the interface of the monitor vlan400

  the interface of the monitor Vlan450

  the interface of the Vlan460-SuldalHotell monitor

  the interface of the Vlan461-SuldalHotellGjest monitor

  the interface of the vlan470-Kyrkjekontoret monitor

  Monitor-interface vlan480-Telefoni

  the interface of the Vlan490-QNapBackup monitor

  the interface of the Vlan500-HellandBadlands monitor

  Monitor-interface Vlan510-IsTak

  Monitor-interface Vlan600-SafeQ

  the interface of the monitor Vlan462-Suldalsposten

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 522.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  vlan400_nat0_outbound (vlan400) NAT 0 access list

  NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

  NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

  NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

  NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

  NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

  NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

  NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

  NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

  static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

  static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

  static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

  static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

  static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

  static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

  static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

  static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

  static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

  static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

  (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

  static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

  static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

  static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

  static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

  Access-group interface Vlan1 Vlan1_access_out

  Access-group outside_access_in in interface outside

  Access-group outside_access_out outside interface

  Access-group vlan400_access_in in the vlan400 interface

  vlan400_access_out group access to the interface vlan400

  Access-group Vlan450_access_in in the Vlan450 interface

  Access-group interface Vlan450 Vlan450_access_out

  Access-group interface Vlan460-SuldalHotell Vlan460_access_in

  Access-group interface Vlan460-SuldalHotell Vlan460_access_out

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

  Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

  Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

  vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

  access to the interface vlan480-Telefoni, vlan480_access_out group

  Access-group interface Vlan490-QNapBackup Vlan490_access_in

  Access-group interface Vlan490-QNapBackup Vlan490_access_out

  Access-group interface Vlan500-HellandBadlands Vlan500_access_in

  Access-group interface Vlan500-HellandBadlands Vlan500_access_out

  Access-group interface Vlan510-IsTak Vlan510_access_in

  Access-group interface Vlan510-IsTak Vlan510_access_out

  Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

  Access-group Vlan600_access_out interface Vlan600-SafeQ

  Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

  Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

  Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout, uauth 0:05:00 absolute

  x x encrypted privilege 15 password username

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.210.0 255.255.255.0 Vlan450

  http 192.168.200.0 255.255.255.0 Vlan1

  http 192.168.1.0 255.255.255.0 vlan400

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 20 match address outside_20_cryptomap_1

  card crypto outside_map 20 set pfs

  peer set card crypto outside_map 20 62.92.159.137

  outside_map crypto 20 card value transform-set ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  ISAKMP crypto enable vlan400

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  tunnel-group 62.92.159.137 type ipsec-l2l

  IPSec-attributes tunnel-group 62.92.159.137

  pre-shared-key *.

  Telnet 192.168.200.0 255.255.255.0 Vlan1

  Telnet 192.168.1.0 255.255.255.0 vlan400

  Telnet timeout 5

  SSH 171.68.225.216 255.255.255.255 outside

  SSH timeout 5

  Console timeout 0

  dhcpd update dns both

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

  !

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

  !

  dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

  dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

  dhcpd option 3 ip 192.168.1.1 interface vlan400

  vlan400 enable dhcpd

  !

  dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

  dhcpd ip interface 192.168.210.1 option 3 Vlan450

  enable Vlan450 dhcpd

  !

  dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

  dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

  dhcpd enable Vlan460-SuldalHotell

  !

  dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

  dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

  dhcpd enable Vlan461-SuldalHotellGjest

  !

  dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

  interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

  dhcpd enable vlan470-Kyrkjekontoret

  !

  dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

  !

  dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

  dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

  !

  dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

  dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

  dhcpd enable Vlan500-HellandBadlands

  !

  dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

  dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

  Vlan510-IsTak enable dhcpd

  !

  dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

  Vlan600-SafeQ enable dhcpd

  !

  dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

  interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

  interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

  Vlan462-Suldalsposten enable dhcpd

  !

  !

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  !

  context of prompt hostname

  Cryptochecksum:x

  : end

  Site 1 config:

  : Saved

  :

  ASA Version 7.2 (4)

  !

  ciscoasa hostname

  domain default.domain.invalid

  activate the password encrypted x

  passwd encrypted x

  names of

  !

  interface Vlan1

  nameif inside

  security-level 100

  IP 192.168.77.1 255.255.255.0

  !

  interface Vlan2

  nameif outside

  security-level 0

  PPPoE Telenor customer vpdn group

  IP address pppoe setroute

  !

  interface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  !

  interface Ethernet0/3

  !

  interface Ethernet0/4

  !

  interface Ethernet0/5

  switchport access vlan 15

  !

  interface Ethernet0/6

  !

  interface Ethernet0/7

  !

  passive FTP mode

  DNS server-group DefaultDNS

  domain default.domain.invalid

  outside_access_in list extended access permit icmp any any disable log echo-reply

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

  pager lines 24

  asdm of logging of information

  Within 1500 MTU

  Outside 1500 MTU

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 524.bin

  don't allow no asdm history

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 1 0.0.0.0 0.0.0.0

  Access-group outside_access_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  Enable http server

  http 192.168.77.0 255.255.255.0 inside

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs

  peer set card crypto outside_map 1 79.160.252.226

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map interface card crypto outside

  crypto ISAKMP allow inside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet 192.168.77.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN group Telenor request dialout pppoe

  VPDN group Telenor localname x

  VPDN group Telenor ppp authentication chap

  VPDN x x local store password username

  dhcpd outside auto_config

  !

  dhcpd address 192.168.77.100 - 192.168.77.130 inside

  dhcpd dns 192.168.77.1 on the inside interface

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

  dhcpd allow inside

  !

  dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

  !

  tunnel-group 79.160.252.226 type ipsec-l2l

  IPSec-attributes tunnel-group 79.160.252.226

  pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:x

  : end

  Hello

  The addition of a new network to the existing VPN L2L should be a fairly simple process.

  Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

  Looking at your configurations above it would appear that you need to the following configurations

  SITE 1

  • We add the new network at the same time the crypto ACL and ACL NAT0

  access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

  access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

  SITE 2

  • We add new ACL crypto network
  • We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration

  outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  Comment by VLAN480-NAT0 NAT0 for VPN access-list

  access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

  NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

  These configurations should pretty much do the trick.

  Let me know if it worked

  -Jouni

• CISCO ASA 5505 no cisco VPN Client

  Hello

  I'm looking for after a firewall Cisco ASA 5505 and want to watch all the owners of it with remote access in but none of us have a support contract with Cisco.

  Is it possible to set up a VPN client not as Microsoft built the client to connect to the ASA?

  Thank you

  Alamb200

  Hello

  Looking for a PPTP on ASA connection?

  The following document provides the following:

  ASA q support PPTP client?

  A. number of the

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#supportfeat

  But we can configure ASA to allow the PPTP connection:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your request is answered. Note the useful messages.

• LAN to Lan tunnel between ASA 5505 and 3030.

  I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030.  I tried all possible combinations except one that will work.  I am able to ping each peer on the other site.  Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works.  Thank you

  Hello

  Please visit this link using config:

  http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce...

  Kind regards

  Aditya

  Please evaluate the useful messages.