Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate the
passwd
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!
a basic threat threat detection
Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides. Add the statement of rule sheep in asa and try again. NAT (inside) 0-list of access pixtosw Concerning Tags: Cisco Security Cisco asa 5505 and centos VPN server connection Hi all Please I want to set up a VPN between Cisco asa 5505 and centos server. Here's my senerio ------------------------- ASA 5505 Public IP 155.155.155.2 Local NETWORK: 192.168.6.X CentOS Server ------------------ Public ip address: 155.155.155.6 Thank you guys Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505? If the remote access, here are the sample configuration: http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml EzVPN between Cisco ASA 5505 (with NEM mode) and Ciscoo 881 Roure Hi friends, I configured the Cisco ASA 5505 and Cisco router with DMVPN 881. 3 offices works very well but one office remains failure. I did the same configuration for all facilities but this router does not work. Any ideas? Please find below the exit of 881 router Cisco: YF2_Tbilisi_router #. * 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1) * 4 August 09:31:47.805: del_node 2.2.2.2 src dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0 * 4 August 09:31:47.805: ISAKMP: (0): profile of THE request is (NULL) * 4 August 09:31:47.809: ISAKMP: (0): Beginner aggressive Mode Exchange
* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1) * 4 August 09:32:48.909: del_node src 2.2.2.2:500 dst 1.1.1.1:500 fvrf 0 x 0, ivrf 0 x 0 * 4 August 09:32:48.909: ISAKMP: (0): profile of THE request is (NULL)
* 4 August 09:32:48.913: ISAKMP: (0): Beginner aggressive Mode Exchange There is no DMVPN on the SAA. All that you have configured, is not compatible with the ASA or something another DMVPN then. At least debugging shows that there are some EzVPN involved. The debug version, it seems that there is no communication on UDP/500 possible between devices. Maybe something is blocking who? Cisco Asa 5505 and level 3 with remote access VPN switch Today I had a new CISCO LAYER 3 switch... So here's my scenrio Cisco Asa 5505 I have Outside of the == 155.155.155.x Inside = 192.168.7.1 Address POOL VPN = 10.10.10.1 - 10.10.10.20 3 layer switch configuration VLAN 2 ip address of the interface = 192.168.1.1 VLAN 2 ip address of the interface = 192.168.2.1 VLAN 2 ip address of 192.168.3.1 = interface VLAN 2 ip address of the interface = 192.168.4.1 VLAN 2 ip address of the interface = 192.168.5.1 IP Routing So I want the customers of my remote access VPN to access all that these networks. So please can you give me a useful tip or a link to set up the rest of my trip Thanks to you all Al ready has responded Sent by Cisco Support technique iPad App L2l between an ASA 5505 and WatchGuard XTM330 with dynamic IP Hi guys,. I looked for a solution on this one but can't find inappropriate, most of the discussions were old and with dead links to the solution. We have an ASA 5505 with static IP address on the outside and a customer who have a WatchGuard XTM330 with dynamic IP address to the outside. Is it possible to have an L2L VPN between our ASA and the WatchGuard when he has a dynamic IP? I have no experience on the series of WatchGuard, so, I am very grateful for any answer! Thanks in advance and have a nice day BR Robin Hi Robin, Here are the links you can make reference when configuring static to the dynamic VPN tunnel: -. This one is with Pix on the remote side, but the configuration will remain the same on the local side: -. Kind regards PS Please rate helpful messages. VLANS with Cisco ASA 5505 and non-Cisco switch I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together. I can't grasp how VLANs (or at least how they should be put in place). When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN. Currently on my ASA, I have the following VLAN configured... outside - vlan11 - Port 0/0 inside - vlan1 - Port 0/1 dmz_ftp - vlan21 - Port 0/2 Port of Corp - vlan31 - 0/3 I need to do the same thing on my switch as well... On my way, I'm a little confused as to how I need to configure the VLAN. Below is the screenshot of web GUI... Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings. Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1. I'm not sure how to in one place to tell my inner vlan (vlan1). I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port. I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505. So, how can I configure my inner Vlan1 on ports 1-8 on the switch? Do mark, UNTAG, autodetect them? What about tours? I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go. Is this the wrong logic? Hi Arvo, If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port. To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk. For example, ASA I have: interface Ethernet0/1 switchport access vlan 20 ! interface Vlan20 nameif inside security-level 100 ip address 192.168.100.254 255.255.255.0 With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch): If instead you use a trunk port, the config would look like this: interface Ethernet0/0 switchport trunk allowed vlan 10,20 switchport mode trunk ! interface Vlan10 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan20 nameif inside security-level 100 ip address 192.168.100.254 255.255.255.0 Assuming that the ASA e0/0 port is connected to 0/1 on the switch): VLAN 10 - 0/1 = tagged VLAN 20 - 0/1 = tagged Hope that helps. -Mike ASA 5505 - I can't create an IPSEC VPN between two ASA 5505 Hello I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did: 1 Configure ASA-1 (host name, vlan 1 and vlan 2). 2. configure a static route 3. create object network (local and remote) 4. create the access list 5. create ikev1 crypto 6. create tunnel-group 7 Configure nat and I repeat the steps above with the ASA but another change IP. Are to correct the above steps? Why can I not create an IPSEC VPN between devices?. No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running. Client VPN und Cisco asa 5505 tunnel work but no traffic Hi all I am new to this forum and Don t have a lot of experience with Cisco, so I hope I can get help from specialists. I have the following problem: I installed und konfigured ASA 5505 for use with vpn client. I would like to access the local network from outside through vpn. To test, I installed ASA 5505 with ADSL (pppoe) and tried to give access to the internal network. Of course whenever I have recive the supplier's different IP address, but it didn't is not a problem reconfigure in the vpn client. After the connection is established (vpn tunnel work) I can see my external network packets. But I Don t have any connection to the internal network. I erased my setup yesterday and tried to reconfigure ASA again. I didn t tested yesterday, because it was too late. And I know that I Don t have the authorization rule at present by the ACL. But I think I'm having the same problem again. (tunnel but no traffic). What I did wrong. Could someone let me know what I have to do today. With hope for your help Dimitri. ASA configuration after reset and basic configuration: works to the Internet from within the course. : Saved : Written by enable_15 to the CEDT 20:29:18.909 Sunday, August 29, 2010 ! ASA Version 8.2 (2) ! ciscoasa hostname activate 2KFQnbNIdI.2KYOU encrypted password 2KFQnbNIdI.2KYOU encrypted passwd names of ! interface Vlan1 nameif inside security-level 100 IP 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 PPPoE client vpdn group home IP address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system Disk0: / asa822 - k8.bin passive FTP mode clock timezone THATS 1 clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00 DNS domain-lookup outside DNS server-group DefaultDNS Server name 194.25.0.60 Server name 194.25.0.68 DM_INLINE_TCP_1 tcp service object-group port-object eq www EQ object of the https port inside_access_in list extended access permitted udp 192.168.1.0 255.255.255.0 no matter what eq field open a debug session inside_access_in list extended access permitted tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1 open a debug session inside_access_in list extended access deny ip any any debug log inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.0.0 255.255.0.0 permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.128 homegroup_splitTunnelAcl list standard access allowed 192.168.10.0 255.255.255.0 pager lines 24 Enable logging asdm of logging of information Outside 1500 MTU Within 1500 MTU IP local pool homepool 192.168.10.1 - 192.168.10.100 mask 255.255.255.0 ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm-625 - 53.bin ASDM location 192.168.0.0 255.255.0.0 inside ASDM location 192.168.10.0 255.255.255.0 inside don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 0.0.0.0 0.0.0.0 inside_access_in access to the interface inside group Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-registration DfltAccessPolicy Enable http server http 192.168.1.0 255.255.255.0 inside
No snmp server location No snmp Server contact Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac life crypto ipsec security association seconds 28800 Crypto ipsec kilobytes of life - safety 4608000 association crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP outside_map interface card crypto outside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Telnet timeout 5 SSH timeout 5 Console timeout 0 VPDN group home request dialout pppoe VPDN group House localname 04152886790 VPDN group House ppp authentication PAP VPDN username 04152886790 password 1 dhcpd outside auto_config ! dhcpd address 192.168.1.5 - 192.168.1.36 inside dhcpd allow inside ! a basic threat threat detection Statistics-list of access threat detection no statistical threat detection tcp-interception TFTP server 192.168.1.5 inside c:/tftp-root WebVPN Group Policy inner residential group attributes of the strategy of group home group value of 192.168.1.1 DNS server Protocol-tunnel-VPN IPSec Split-tunnel-policy tunnelspecified value of Split-tunnel-network-list homegroup_splitTunnelAcl username user01 encrypted password privilege 0 v5P40l1UGvtJa7Nn user01 username attributes VPN-strategy group home group tunnel-group home group type remote access attributes global-tunnel-group home group address homepool pool Group Policy - by default-homegroup tunnel-group group residential ipsec-attributes pre-shared-key ciscotest ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters maximum message length automatic of customer message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect esmtp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp Review the ip options ! global service-policy global_policy context of prompt hostname Cryptochecksum:930e6cddf25838e47ef9633dc2f07acb : end Hello Normally, you want a static public IP address on the ASA to allow it to receive connections from VPN clients (avoid to change the IP address all the time). If you connect via VPN, check the following: 1. the tunnel is established: HS cry isa his Must say QM_IDLE or MM_ACTIVE 2 traffic is flowing (encrypted/decrypted): HS cry ips its 3. Enter the command: management-access inside And check if you can PING the inside ASA VPN client IP. 4. check that the default gateway for the LAN internal ASA within intellectual property (or there is a road to the ASA to send traffic to the VPN clients). Federico. AnyConnect VPN for Cisco ASA 5505 refused connections I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config: interface Vlan2 access-group inside_access_in in interface inside webvpn group-policy DfltGrpPolicy attributes policy-map global_policy When I try to connect, I get this error in the real-time log viewer: TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443 Here are the details of the license: Licensed features for this platform: This platform has a Base license. Can someone tell me what I am doing wrong or what access list I'm missing? I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great. Hi Matt, You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure: WebVPN tunnel-group-list activate Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group. HTH Herbert IPSec VPN between Cisco ASA and Fortigate1000 Hello I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000... the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG... The question is: How do I configure the interface on the SAA ACCORD? Thanks in advance, Experts... Kind regards... ASA firewall does not support the interface/GRE GRE tunnel. If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS. If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA: http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml Hope that helps. Cisco ASA 5505 and comodo SSL certificate Hey all,. I'm having a problem with setting up the piece of Certificate SSL of Cisco AnyConnect VPN. I bought the certificate and installed it via the ASDM under Configuration > VPN remote access > Certificate Management > identity certificates. I also placed the piece of 2 CA under the CA certificates. I have http redirect to https and under my browser, it is green. Once the AnyConnect client installs and automatically connect I get no error or anything. The minute I disconnect and try to reconnect again, I get the "VPN Server untrusted certificates! ' which is not true because the connection information to be https://vpn.mydomain.com and the SSL certificate is configured as vpn.mydomain.com. On that note, it lists the IP address instead of the vpn.mydomain.com as the unreliable piece of this. Now of course I don't have the IP as part of the SSL-cert, just the web address. On the side of the web, I have a record A Setup to go from vpn.mydomain.com to the IP address of the Cisco ASA. What I'm missing here? I can post config if anyone needs. (My Version of the Software ASA is 9.0 (2) and ASDM Version 7.1 (2)) Yes that's correct. technically, it will take you to EKU as keys to authenticate server who was a little forced in version 3.1. But eventually, he was taken away. If you get no error using the browser and ot only comes with the anyconnect client. Most likely, you do not have to configured values. I can confirm that if you can share the fqdn with me also, you can try the upgrade and check it out. Thank you Bad Boy Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently. Thank you GM Hello Please check the config below: HUBS: crypto ISAKMP policy 1
Cisco ASA 5505 site for multiple subnet of the site. Hello. I need help to configure my cisco asa 5505. I set up a VPN between two ASA 5505 tunnel Site 1: Subnet 192.168.77.0 Site 2: Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0 What I need help: Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0 And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0 Vlan480 is used for phones. In vlan480, we have a PABX. Is this possible to do? Any help would be much appreciated! Config site 2: : Saved : ASA Version 7.2 (2) ! ciscoasa hostname domain default.domain.invalid activate the password encrypted x names of name 192.168.1.250 DomeneServer name of 192.168.1.10 NotesServer name 192.168.1.90 Steadyily name 192.168.1.97 TerminalServer name 192.168.1.98 eyeshare w8 name 192.168.50.10 w8-print name 192.168.1.94 w8 - app name 192.168.1.89 FonnaFlyMedia ! interface Vlan1 nameif Vlan1 security-level 100 IP 192.168.200.100 255.255.255.0 OSPF cost 10 ! interface Vlan2 nameif outside security-level 0 IP address 79.x.x.226 255.255.255.224 OSPF cost 10 ! interface Vlan400 nameif vlan400 security-level 100 IP 192.168.1.1 255.255.255.0 OSPF cost 10 ! interface Vlan450 nameif Vlan450 security-level 100 IP 192.168.210.1 255.255.255.0 OSPF cost 10 ! interface Vlan460 nameif Vlan460-SuldalHotell security-level 100 IP 192.168.2.1 255.255.255.0 OSPF cost 10 ! interface Vlan461 nameif Vlan461-SuldalHotellGjest security-level 100 address 192.168.3.1 IP 255.255.255.0 OSPF cost 10 ! interface Vlan462 Vlan462-Suldalsposten nameif security-level 100 192.168.4.1 IP address 255.255.255.0 OSPF cost 10 ! interface Vlan470 nameif vlan470-Kyrkjekontoret security-level 100 IP 192.168.202.1 255.255.255.0 OSPF cost 10 ! interface Vlan480 nameif vlan480 Telefoni security-level 100 address 192.168.20.1 255.255.255.0 OSPF cost 10 ! interface Vlan490 nameif Vlan490-QNapBackup security-level 100 IP 192.168.10.1 255.255.255.0 OSPF cost 10 ! interface Vlan500 nameif Vlan500-HellandBadlands security-level 100 192.168.30.1 IP address 255.255.255.0 OSPF cost 10 ! interface Vlan510 Vlan510-IsTak nameif security-level 100 192.168.40.1 IP address 255.255.255.0 OSPF cost 10 ! interface Vlan600 nameif Vlan600-SafeQ security-level 100 192.168.50.1 IP address 255.255.255.0 OSPF cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 500 switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610 switchport mode trunk ! interface Ethernet0/3 switchport access vlan 490 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd encrypted x passive FTP mode clock timezone WAT 1 DNS server-group DefaultDNS domain default.domain.invalid permit same-security-traffic inter-interface permit same-security-traffic intra-interface Lotus_Notes_Utgaaande tcp service object-group UT og Frim Notes Description til alle area of port-object eq port-object eq ftp port-object eq www EQ object of the https port port-object eq lotusnotes EQ Port pop3 object EQ pptp Port object EQ smtp port object Lotus_Notes_inn tcp service object-group Description of the inn og alle til Notes port-object eq www port-object eq lotusnotes EQ Port pop3 object EQ smtp port object object-group service Reisebyraa tcp - udp 3702 3702 object-port Beach 5500 5500 object-port Beach range of object-port 9876 9876 object-group service Remote_Desktop tcp - udp Description Tilgang til Remote Desktop
3389 3389 port-object range object-group service Sand_Servicenter_50000 tcp - udp Description program tilgang til sand service AS object-port range 50000 50000 VNC_Remote_Admin tcp service object-group
Description Fra ¥ oss til alle 5900 5900 port-object range object-group service Printer_Accept tcp - udp 9100 9100 port-object range port-object eq echo ICMP-type of object-group Echo_Ping echo ICMP-object response to echo ICMP-object object-group service Print tcp 9100 9100 port-object range FTP_NADA tcp service object-group Suldalsposten NADA tilgang description port-object eq ftp port-object eq ftp - data Telefonsentral tcp service object-group Hoftun description port-object eq ftp port-object eq ftp - data port-object eq www EQ object of the https port port-object eq telnet Printer_inn_800 tcp service object-group Fra 800 thought-out og inn til 400 port 7777 description range of object-port 7777 7777 Suldalsposten tcp service object-group Description send av mail hav Mac Mail at - Ã ¥ nrep smtp EQ Port pop3 object EQ smtp port object http2 tcp service object-group Beach of port-object 81 81 object-group service DMZ_FTP_PASSIVE tcp - udp 55536 56559 object-port Beach object-group service DMZ_FTP tcp - udp 20 21 object-port Beach object-group service DMZ_HTTPS tcp - udp Beach of port-object 443 443 object-group service DMZ_HTTP tcp - udp 8080 8080 port-object range DNS_Query tcp service object-group of domain object from the beach object-group service DUETT_SQL_PORT tcp - udp Description for a mellom andre og duett Server nett 54659 54659 object-port Beach outside_access_in of access allowed any ip an extended list outside_access_out of access allowed any ip an extended list vlan400_access_in list extended access deny ip any host 149.20.56.34 vlan400_access_in list extended access deny ip any host 149.20.56.32 vlan400_access_in of access allowed any ip an extended list Vlan450_access_in list extended access deny ip any host 149.20.56.34 Vlan450_access_in list extended access deny ip any host 149.20.56.32 Vlan450_access_in of access allowed any ip an extended list Vlan460_access_in list extended access deny ip any host 149.20.56.34 Vlan460_access_in list extended access deny ip any host 149.20.56.32 Vlan460_access_in of access allowed any ip an extended list vlan400_access_out list extended access permit icmp any any Echo_Ping object-group vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600 vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT Vlan500_access_in list extended access deny ip any host 149.20.56.34 Vlan500_access_in list extended access deny ip any host 149.20.56.32 Vlan500_access_in of access allowed any ip an extended list vlan470_access_in list extended access deny ip any host 149.20.56.34 vlan470_access_in list extended access deny ip any host 149.20.56.32 vlan470_access_in of access allowed any ip an extended list
Vlan490_access_in list extended access deny ip any host 149.20.56.34 Vlan490_access_in list extended access deny ip any host 149.20.56.32 Vlan490_access_in of access allowed any ip an extended list Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group Vlan1_access_out of access allowed any ip an extended list Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop Vlan1_access_out deny ip extended access list a whole Vlan1_access_out list extended access permit icmp any any echo response Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group
Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group vlan470_access_out list extended access permit icmp any any Echo_Ping object-group vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group vlan480_access_out of access allowed any ip an extended list Vlan510_access_in of access allowed any ip an extended list Vlan600_access_in of access allowed any ip an extended list Vlan600_access_out list extended access permit icmp any one Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www Vlan600_access_in_1 of access allowed any ip an extended list Vlan461_access_in of access allowed any ip an extended list Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0 outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0 outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0 access-list Vlan462-Suldalsposten_access_in extended ip allowed any one access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one pager lines 24 Enable logging asdm of logging of information MTU 1500 Vlan1 Outside 1500 MTU vlan400 MTU 1500 MTU 1500 Vlan450 MTU 1500 Vlan460-SuldalHotell MTU 1500 Vlan461-SuldalHotellGjest vlan470-Kyrkjekontoret MTU 1500 MTU 1500 vlan480-Telefoni MTU 1500 Vlan490-QNapBackup MTU 1500 Vlan500-HellandBadlands MTU 1500 Vlan510-IsTak MTU 1500 Vlan600-SafeQ MTU 1500 Vlan462-Suldalsposten no failover Monitor-interface Vlan1 interface of the monitor to the outside the interface of the monitor vlan400 the interface of the monitor Vlan450 the interface of the Vlan460-SuldalHotell monitor the interface of the Vlan461-SuldalHotellGjest monitor the interface of the vlan470-Kyrkjekontoret monitor Monitor-interface vlan480-Telefoni the interface of the Vlan490-QNapBackup monitor the interface of the Vlan500-HellandBadlands monitor Monitor-interface Vlan510-IsTak Monitor-interface Vlan600-SafeQ the interface of the monitor Vlan462-Suldalsposten ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm - 522.bin don't allow no asdm history ARP timeout 14400 Global 1 interface (outside)
vlan400_nat0_outbound (vlan400) NAT 0 access list NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0 NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0 NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0 NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0 NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0 NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0 NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0 static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255 static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255 static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255 static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232 static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255
static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236 static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0 (Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0 (vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0 (vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255 static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0 static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0 Access-group interface Vlan1 Vlan1_access_out Access-group outside_access_in in interface outside Access-group outside_access_out outside interface Access-group vlan400_access_in in the vlan400 interface vlan400_access_out group access to the interface vlan400 Access-group Vlan450_access_in in the Vlan450 interface Access-group interface Vlan450 Vlan450_access_out Access-group interface Vlan460-SuldalHotell Vlan460_access_in Access-group interface Vlan460-SuldalHotell Vlan460_access_out Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret vlan470_access_out access to the interface vlan470-Kyrkjekontoret group access to the interface vlan480-Telefoni, vlan480_access_out group Access-group interface Vlan490-QNapBackup Vlan490_access_in Access-group interface Vlan490-QNapBackup Vlan490_access_out Access-group interface Vlan500-HellandBadlands Vlan500_access_in Access-group interface Vlan500-HellandBadlands Vlan500_access_out Access-group interface Vlan510-IsTak Vlan510_access_in Access-group interface Vlan510-IsTak Vlan510_access_out Access-group Vlan600_access_in_1 interface Vlan600-SafeQ Access-group Vlan600_access_out interface Vlan600-SafeQ Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1 Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout, uauth 0:05:00 absolute x x encrypted privilege 15 password username the ssh LOCAL console AAA authentication Enable http server http 192.168.210.0 255.255.255.0 Vlan450 http 192.168.200.0 255.255.255.0 Vlan1 http 192.168.1.0 255.255.255.0 vlan400 No snmp server location
No snmp Server contact SNMP-Server Community public Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map 20 match address outside_20_cryptomap_1 card crypto outside_map 20 set pfs peer set card crypto outside_map 20 62.92.159.137 outside_map crypto 20 card value transform-set ESP-3DES-SHA outside_map interface card crypto outside crypto ISAKMP allow outside ISAKMP crypto enable vlan400 crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 tunnel-group 62.92.159.137 type ipsec-l2l IPSec-attributes tunnel-group 62.92.159.137 pre-shared-key *. Telnet 192.168.200.0 255.255.255.0 Vlan1 Telnet 192.168.1.0 255.255.255.0 vlan400 Telnet timeout 5 SSH 171.68.225.216 255.255.255.255 outside SSH timeout 5 Console timeout 0 dhcpd update dns both ! dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1 ! dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface ! dhcpd address 192.168.1.100 - 192.168.1.225 vlan400 dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400 dhcpd option 3 ip 192.168.1.1 interface vlan400
vlan400 enable dhcpd ! dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450 dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450 dhcpd ip interface 192.168.210.1 option 3 Vlan450 enable Vlan450 dhcpd ! dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell dhcpd enable Vlan460-SuldalHotell ! dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest dhcpd enable Vlan461-SuldalHotellGjest ! dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret dhcpd enable vlan470-Kyrkjekontoret ! dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni ! dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup ! dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands dhcpd enable Vlan500-HellandBadlands ! dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface Vlan510-IsTak enable dhcpd ! dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ Vlan600-SafeQ enable dhcpd ! dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1 Vlan462-Suldalsposten enable dhcpd ! ! ! ! type of policy-card inspect dns preset_dns_map parameters message-length maximum 512 ! context of prompt hostname Cryptochecksum:x : end Site 1 config: : Saved : ASA Version 7.2 (4) ! ciscoasa hostname domain default.domain.invalid activate the password encrypted x passwd encrypted x names of ! interface Vlan1 nameif inside security-level 100 IP 192.168.77.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 PPPoE Telenor customer vpdn group IP address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 !
interface Ethernet0/4 ! interface Ethernet0/5 switchport access vlan 15 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passive FTP mode DNS server-group DefaultDNS domain default.domain.invalid outside_access_in list extended access permit icmp any any disable log echo-reply access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0 access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 asdm of logging of information Within 1500 MTU Outside 1500 MTU ICMP unreachable rate-limit 1 burst-size 1 ASDM image disk0: / asdm - 524.bin don't allow no asdm history ARP timeout 14400 Global 1 interface (outside) NAT (inside) 0-list of access inside_nat0_outbound NAT (inside) 1 0.0.0.0 0.0.0.0 Access-group outside_access_in in interface outside Timeout xlate 03:00 Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00 Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00 Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute Enable http server http 192.168.77.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside No snmp server location No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac card crypto outside_map 1 match address outside_1_cryptomap card crypto outside_map 1 set pfs peer set card crypto outside_map 1 79.160.252.226 card crypto outside_map 1 set of transformation-ESP-3DES-SHA outside_map interface card crypto outside crypto ISAKMP allow inside crypto ISAKMP allow outside crypto ISAKMP policy 10 preshared authentication 3des encryption sha hash Group 2 life 86400 Telnet 192.168.77.0 255.255.255.0 inside Telnet timeout 5 SSH timeout 5 Console timeout 0 VPDN group Telenor request dialout pppoe VPDN group Telenor localname x VPDN group Telenor ppp authentication chap VPDN x x local store password username dhcpd outside auto_config ! dhcpd address 192.168.77.100 - 192.168.77.130 inside dhcpd dns 192.168.77.1 on the inside interface dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside dhcpd allow inside ! dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface ! tunnel-group 79.160.252.226 type ipsec-l2l IPSec-attributes tunnel-group 79.160.252.226 pre-shared-key *. ! class-map inspection_default match default-inspection-traffic ! ! type of policy-card inspect dns preset_dns_map parameters message-length maximum 512 Policy-map global_policy class inspection_default inspect the preset_dns_map dns inspect the ftp inspect h323 h225 inspect the h323 ras inspect the rsh inspect the rtsp inspect esmtp inspect sqlnet inspect the skinny inspect sunrpc inspect xdmcp inspect the sip inspect the netbios inspect the tftp ! global service-policy global_policy context of prompt hostname Cryptochecksum:x : end Hello The addition of a new network to the existing VPN L2L should be a fairly simple process. Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection. Looking at your configurations above it would appear that you need to the following configurations SITE 1 access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0
access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0 SITE 2 outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0 Comment by VLAN480-NAT0 NAT0 for VPN access-list access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0 NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni) These configurations should pretty much do the trick. Let me know if it worked -Jouni CISCO ASA 5505 no cisco VPN Client Hello I'm looking for after a firewall Cisco ASA 5505 and want to watch all the owners of it with remote access in but none of us have a support contract with Cisco. Is it possible to set up a VPN client not as Microsoft built the client to connect to the ASA? Thank you Alamb200 Hello Looking for a PPTP on ASA connection? The following document provides the following: ASA q support PPTP client? A. number of the But we can configure ASA to allow the PPTP connection: I hope this helps. Kind regards Anisha P.S.: Please mark this thread as answered if you feel that your request is answered. Note the useful messages. LAN to Lan tunnel between ASA 5505 and 3030. I am unable to build a tunnel vpn site-to-site between an ASA 5505 and our Cisco 3030. I tried all possible combinations except one that will work. I am able to ping each peer on the other site. Someone at - it a config between two tunnels of Lan to Lan to work between a 5505 and 3030 that works. Thank you Hello Please visit this link using config: http://www.Cisco.com/c/en/us/support/docs/security/VPN-3000-series-conce... Kind regards Aditya Please evaluate the useful messages. How to remove updated iOS uninstalled 9.3.2 iPad 9.7 pro wworried I could install accidentally last iOS Update 9.3.2. You want to delete the update is uninstalled. Can not find the way to remove. Thank you Satellite C50 - B - 14 d - Windows 10 UEFI/MSC (and USB support) Microsoft now offer Windows 10 free download(although for the moment they call it Windows Technical Preview). I have it on my laptop C50 - B - 14 d. There are 2 separate but, I think, related problems. First of all, back on the Windows 8 Toshiba Offi What is the auxiliary pins use in 6602 counter card I want to know the use of pins 6602 counter\timer auxiliary card. Windows 98 is able to connect to a wireless connection? Wireless router for Windows 98 Machines I have an old Windows 98 machine and want to connect to my wireless router Lybnksys with a lan cable to upgrade the computer via the internet/downloads. How can I communicate with the router for Windows 98? What is the borlndmm.dat I can not download I tune, the message says: borlndmm.dat is missing. To resolve this problem, need to reinstall the application, but I can't do it because I don't have this app. How can I solve this problem?
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin password
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endSimilar Questions
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:26.793 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:31:26.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:26.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:26.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:36.793 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:31:36.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:36.793: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:36.793 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:31:44.929 4 August: ISAKMP: (0): serving SA., its is 88961 B 34, delme is 88961 B 34
* 4 August 09:31:46.793: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:46.793 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 09:31:46.793 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:31:46.793: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:31:46.793 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:31:46.793 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:31:46.793 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:31:46.793 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:31:46.793 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA
* 09:31:47.805 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 09:31:47.805 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:31:47.805 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004819
* 09:31:47.805 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:31:47.805 4 August: ISAKMP: (0): client configuration parameters 87531228 adjustment
* 09:31:47.805 4 August: ISAKMP: 500 local port, remote port 500
* 09:31:47.805 4 August: ISAKMP: find a dup her to the tree during his B 88961, 34 = isadb_insert call BVA
* 4 August 09:31:47.805: ISAKMP: (0): set up client mode.
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:31:47.805: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:31:47.805: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:31:47.805: ISKAMP: more send buffer from 1024 to 3072
* 09:31:47.805 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:31:47.805 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:31:47.805 4 August: ISAKMP: (0): the total payload length: 24
* 09:31:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:31:47.809 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1
* 4 August 09:31:47.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:47.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:31:57.809 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:31:57.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:31:57.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:31:57.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:07.809 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:32:07.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:07.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:07.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:17.809 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:32:17.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:17.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:17.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:27.809 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:32:27.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:27.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:27.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:37.809 4 August: ISAKMP (0): increment the count of errors on his, try 5 of 5: retransmit the phase 1
* 4 August 09:32:37.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:37.809: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:37.809 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 09:32:46.793 4 August: ISAKMP: (0): serving SA., his is 872E1504, delme is 872E1504
* 4 August 09:32:47.809: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:47.809 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 09:32:47.809 4 August: % CRYPTO-6-EZVPN_CONNECTION_DOWN: user (customer) = group = Youth_Facility_2 Server_public_addr = 1.1.1.1
* 4 August 09:32:47.809: ISAKMP:isadb_key_addr_delete: no key for address 1.1.1.1 (root NULL)
* 09:32:47.809 4 August: ISAKMP: (0): removal of reason ITS status of 'Death by retransmission P1' (I) AG_INIT_EXCH (peer 1.1.1.1)
* 09:32:47.809 4 August: ISAKMP: Unlocking counterpart struct 0x8AA90C50 for isadb_mark_sa_deleted(), count 0
* 09:32:47.809 4 August: ISAKMP: delete peer node by peer_reap for 1.1.1.1: 8AA90C50
* 09:32:47.809 4 August: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 09:32:47.809 4 August: ISAKMP: (0): former State = new State IKE_I_AM1 = IKE_DEST_SA
* 09:32:48.909 4 August: ISAKMP: (0): the peer is not paranoid KeepAlive.
* 09:32:48.909 4 August: ISAKMP: created a struct peer 1.1.1.1, peer port 500
* 09:32:48.909 4 August: ISAKMP: new created position = 0x8AA90C50 peer_handle = 0 x 80004818
* 09:32:48.909 4 August: ISAKMP: lock struct 0x8AA90C50, refcount 1 to peer isakmp_initiator
* 09:32:48.909 4 August: ISAKMP: (0): client setting Configuration parameters 88C05A48
* 09:32:48.909 4 August: ISAKMP: 500 local port, remote port 500
* 09:32:48.909 4 August: ISAKMP: find a dup her to the tree during the isadb_insert his 87B57D38 = call BVA
* 4 August 09:32:48.909: ISAKMP: (0): set up client mode.
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-07 ID NAT - t
* 4 August 09:32:48.909: ISAKMP: (0): built of NAT - T of the seller-03 ID
* 4 August 09:32:48.909: ISAKMP: (0): built the seller-02 ID NAT - t
* 4 August 09:32:48.909: ISKAMP: more send buffer from 1024 to 3072
* 09:32:48.913 4 August: ISAKMP: (0): ITS been pre-shared key and XAUTH authentication using id ID_KEY_ID type
* 09:32:48.913 4 August: ISAKMP (0): payload ID
next payload: 13
type: 11
Group ID: Youth_Facility_2
Protocol: 17
Port: 0
Length: 24
* 09:32:48.913 4 August: ISAKMP: (0): the total payload length: 24
* 09:32:48.913 4 August: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
* 09:32:48.913 4 August: ISAKMP: (0): former State = new State IKE_READY = IKE_I_AM1
* 4 August 09:32:48.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:48.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:32:58.913 4 August: ISAKMP (0): increment the count of errors on his, try 1 5: retransmit the phase 1
* 4 August 09:32:58.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:32:58.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:32:58.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:08.913 4 August: ISAKMP (0): increment the count of errors on his, try 2 of 5: retransmit the phase 1
* 4 August 09:33:08.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:08.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:08.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:18.913 4 August: ISAKMP (0): increment the count of errors on his, try 3 of 5: retransmit the phase 1
* 4 August 09:33:18.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:18.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:18.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH...
* 09:33:28.913 4 August: ISAKMP (0): increment the count of errors on his, try 4 out 5: retransmit the phase 1
* 4 August 09:33:28.913: ISAKMP: (0): transmit phase 1 AG_INIT_EXCH
* 4 August 09:33:28.913: ISAKMP: (0): 1.1.1.1 package sending 500 peer_port 500 (I) my_port AG_INIT_EXCH
* 09:33:28.913 4 August: ISAKMP: (0): sending a packet IPv4 IKE.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112075-dynamic-IPSec-ASA-router-CCP.html
http://www.WatchGuard.com/docs/4-6-Firebox-CiscoPix.PDF
Dinesh Moudgil
VLAN 20 - 0/1 = untagged
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
BA 3des
!
BA 3des
!
Maybe you are looking for