Site to Site VPN connection
I have trouble getting a connection from site to site between a site that I am owner and a seller at a distance. (neither of us are experts)
Can someone tell me what Miss them us?
Ok
I hope I understood the situation correctly.
With the changes below all your LAN traffic should flow through the VPN L2L at the Remote Site connection. However, I can't say what is happening in the traffic from there in. Internet traffic should work just fine.
Your ASA Site
10.4.200.0 IP Access-list extended siteA 255.255.248.0 allow all
no extended siteA LocalNetwork 255.255.248.0 ip access list allow 10.4.0.0 255.255.0.0
Note of the access-list NAT0 for VPN L2L traffic INSIDE-NAT0
IP 10.4.200.0 allow to Access-list INTERIOR-NAT0 255.255.248.0 all
NAT (inside) 0-list of access to the INTERIOR-NAT0
crypto Outside_map2 1 game card address siteA
Supplier of ASA site
permit same-security-traffic intra-interface
access-list siteA extended permits all ip 10.4.200.0 255.255.248.0
no extended siteA 10.4.0.0 ip access list do not allow 255.255.0.0 10.4.200.0 255.255.248.0
NAT (outside) 1 10.4.200.0 255.255.248.0
This should forward traffic from your site to the remote site if the destination address of the connections is nothing other than your LAN.
It should also allow your site to use the connection of remote sites ASAs since we allow traffic to make a u-turn on the interface of the ASA "outside" remote and dynamic to the ' outside ' interface IP address be also participated.
-Jouni
Tags: Cisco Security
Similar Questions
-
Multiple site to site VPN connections
Hello.
I've finally set up a site to site VPN connection and now wonder how I can configure multiple connections that are accessible by different VLAN.
So that VLAN1 use a tunnel and VLAN2 another.
Best regards Tommy Svensson
Configuration up to now:
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 5
life 3600
vpnkey crypto isakmp key address?. 206
!
!
Crypto ipsec transform-set VPN aes - esp esp-sha-hmac
!
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Hi Tommy
In order to complete their reviews of Marcin, something like this should help (obviously you need to change the IP addresses accordingly).
VPNMAP 10 ipsec-isakmp crypto map
Site 2 site description
defined by peers? 206
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 100!
VPNMAP 20 ipsec-isakmp crypto map
Description site-2-site n ° 2
defined by peers?
security-association the value of life 4000 kilobytes
game of transformation-VPN
PFS Set group5
match address 101access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
Barry
-
Cisco router 1921 internet problem with a site-to-site vpn connection
I have TE-data Modem 3com dsl connection in 2 sites. and I have 2 routers cisco 1921 and there is a vpn site-to-site between them and
the VPN connection works well. and I configured the PAT on one of them to allow users access to the internet but tere is a problem:
all users can ping a public ip address
all users can ping any URL
but there is no navigation of the internet
and it's configuration
NOZHA #sh run
Building configuration...Current configuration: 2425 bytes
!
! Last configuration change at 11:24:08 UTC Thu Sep 20 2012
!
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname NOZHA
!
boot-start-marker
boot-end-marker
!
enable secret 5
!
No aaa new-model
!
!
!
!
No ipv6 cef
IP source-route
IP cef
!
!
!
IP dhcp pool 1
network 192.168.40.0 255.255.255.0
router by default - 192.168.40.1
4.2.2.2 DNS Server 8.8.8.8
Infinite rental
!
!
IP domain name shady2012
!
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1921/K9 sn FCZ1432C5KM
licence start-up module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
ISAKMP crypto key shady2012 address 81.10.xxx.yy
!
!
Crypto ipsec transform-set shady2012 aes - esp esp-sha-hmac
!
card crypto 150 s2s - VPN ipsec-isakmp
the value of 81.10.xxx.yy peer
PFS group2 Set
match address s2s-vpn-Oly
!
!
!
!
!
interface GigabitEthernet0/0
MTU 1000
IP address 41.41.xx.yy 255.255.255.252
NAT outside IP
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
s2s - VPN crypto card
!
!
interface GigabitEthernet0/1
192.168.40.1 IP address 255.255.255.0
IP nat inside
activate nat IP
IP virtual-reassembly
automatic duplex
automatic speed
!
!
default IP gateway (hop 41.41.xx.yy) next
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
The dns server IP
overload of the IP nat source list mypool GigabitEthernet0/0 interface
IP route 0.0.0.0 0.0.0.0 41.41.xx.yy
IP route 192.168.20.0 255.255.255.0 (41.41.xx.yy) next hop
IP route 192.168.30.0 255.255.255.0 (41.41.xx.yy) next hop
!
mypool extended IP access list
deny ip 192.168.21.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.21.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
allow an ip
s2s-vpn-Oly extended IP access list
ip permit 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
IP 192.168.21.0 allow 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.30.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
ip licensing 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
ip permit 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
IP 192.168.21.0 allow 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line vty 0 4
password
opening of session
!
Scheduler allocate 20000 1000
endIf anyone has the answer please answer ASAP
When you say can ping any URL, I am assuming that you are pinging of the FULL domain name, IE: it is resolved to an ip address, right?
If you disable the VPN, can you access the internet?
You have a proxy server or anything that could block navigation?
This error message you get on your web browser?
Also try another web browser, and none works?
-
Configuration of Site VPN connection to another via GRE Tunnels
I am trying to connect VPN site to site on the internet using GRE tunnels. I am able to reach from a WAN interface to another. But I am not able to get the ISAKMP and IPSec to work. Below the configuration and a simplified below flowchart. In the scenario below, I am also running BGP between these routers. The BGP neighbor-ships are trained through the tunnels. But I want traffic between tunnels to encrypt. IPsec and ISAKMP not running BGP routes and other traffic is not encrypted.
This is why I would like to know what could the reason for this.
Router config VPN 1
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================
Router config VPN 2
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================
Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.
crypto ISAKMP policy 10 aes encryption sha hash preshared authentication Group 5 cisco crypto isakmp key address Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT Profile of crypto ipsec MYPROFILE transformation-RIGHT game interface tunnel 10 Unnumbered IP gig0/0 tunnel source gig0/0 tunnel destination ipv4 ipsec tunnel mode Profile of tunnel MYPROFILE ipsec protection --
Please do not forget to select a correct answer and rate useful posts
-
Help! Several problem of the setup of site-to-site VPN connection
Recently, I place ASA 5505 on 3 sites and communicate with VPN site-to-site. I am able to connect HQ for two offices without any problem. And each office connect as weel. However, I can't do desktop connection remote at camp. Please see below for each configuration of office and thanks to any part of your experience.
(Pri:172.29.88.254 remote desktop; Pub: 173.190.234.138; Subnet:172.29.88.0/24)
|
| (VPN)
|
HQ office (Pri: 172.29.8.254;) Pub: 173.111.222.140; Subnet: 172.29.8.0/24)
|
| (VPN)
|
Colo (Pri: 172.29.168.254;) Pub: 111.167.239.218; Subnet: 172.29.168.0/24)
Configuration of HQ ASA5505-
ASA 4,0000 Version 1
!
hostname jtfw-AC
domain jollytech.com
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
!
interface Ethernet0/1
switchport access vlan 2
Speed 100
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 173.111.222.140 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain jollytech.com
permit same-security-traffic inter-interface
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
Orange network object
Home 172.29.8.151
network of the WAN_173_111_222_138 object
Home 173.111.222.138
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
guava network object
Home 172.29.8.3
network obj_HQVPN object
192.168.8.0 subnet 255.255.255.0
jt-fn68zv1 network object
Home 172.29.8.71
service of the JT_FTP object
tcp source eq ftp service
network obj_colo object
172.29.168.0 subnet 255.255.255.0
Standard access list VPN_Tunnel_User allow 172.29.8.0 255.255.255.0
VPN_Tunnel_User standard access list allow 192.168.8.0 255.255.255.0
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle 135
inside_access_in tcp extended access list refuse any eq 135 all idle state
inside_access_in list extended access deny udp any what eq 135 all idle state
inside_access_in list extended access deny udp any any eq idle 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in of access allowed any ip an extended list
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 173.111.222.138 eq 3389
outside_access_in list extended access permit tcp any host 173.111.222.138 eq smtp
outside_access_in list extended access permit tcp any host 173.111.222.138 eq pptp
outside_access_in list extended access permit tcp any host 173.111.222.138 eq www
outside_access_in list extended access permit tcp any host 173.111.222.138 eq https
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
access extensive list ip 172.29.8.0 outside_cryptomap allow 255.255.255.0 172.29.88.0 255.255.255.0
permit access list extended ip object obj_colo object obj_lex outside_cryptomap
inside_in list extended access permit icmp any one
inside_in of access allowed any ip an extended list
inside_in list extended access udp allowed any any eq isakmp
inside_in list extended access udp allowed any isakmp eq everything
inside_in list extended access udp allowed a whole
inside_in list extended access permitted tcp a whole
permit access list extended ip object obj_HQ object obj_colo outside_cryptomap_1
permit access list extended ip object obj_lex object obj_colo outside_cryptomap_1
pager lines 24
Enable logging
timestamp of the record
logging trap information
asdm of logging of information
address record [email protected] / * /
host of logging inside the 172.29.8.89
Within 1500 MTU
Outside 1500 MTU
mask 192.168.8.100 - 192.168.8.150 255.255.255.0 IP local pool Jolly_HQVPN_DHCP
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT static orange interface (inside, outside) source RDP RDP service
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_colo obj_colo-route search
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_WWW JT_WWW
NAT guava Shared source (internal, external) WAN_173_164_222_138 service JT_HTTPS JT_HTTPS
NAT guava Shared source (internal, external) WAN_173_164_222_138 service RDP RDP
NAT guava Shared source (internal, external) WAN_173_164_222_138 SMTP SMTP service
NAT guava Shared source (internal, external) WAN_173_164_222_138 PPTP PPTP service
NAT interface service (Interior, exterior) source static jt-fn68zv1 JT_FTP JT_FTP
NAT (inside, outside) source obj_HQ destination obj_HQ static static obj_HQVPN obj_HQVPN
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 173.111.222.142 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server protocol nt guava
AAA-server host 172.29.8.3 guava (inside)
Timeout 15
guava auth - NT domain controller
identity of the user by default-domain LOCAL
identity of the user inactive-user-timer minutes 360
Enable http server
http 172.29.8.0 255.255.255.0 inside
SNMP-server host within the 172.29.8.89 community * version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.190.234.138
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
card crypto outside_map 2 match address outside_cryptomap_1
card crypto outside_map 2 set pfs
peer set card crypto outside_map 2 111.167.239.218
card crypto outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 2 set AES AES192 AES256 3DES ipsec-proposal ikev2
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.8.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
dhcpd auto_config off vpnclient-wins-override
!
dhcprelay Server 172.29.8.3 on the inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal Jolleytech_VPN group strategy
attributes of Group Policy Jolleytech_VPN
value of server DNS 172.29.8.3
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list VPN_Tunnel_User
jollytech.local value by default-field
internal GroupPolicy_10.8.8.1 group strategy
attributes of Group Policy GroupPolicy_10.8.8.1
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
type tunnel-group jollytech remote access
tunnel-group jollytech General-attributes
address pool Jolly_HQVPN_DHCP
authentication-server-group guava
Group Policy - by default-Jolleytech_VPN
jollytech group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
tunnel-group 111.167.239.218 type ipsec-l2l
tunnel-group 111.167.239.218 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 111.167.239.218
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
tunnel-group 173.190.234.138 type ipsec-l2l
tunnel-group 173.190.234.138 General-attributes
Group - default policy - GroupPolicy_10.8.8.1
IPSec-attributes tunnel-group 173.190.234.138
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
inspect the http
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:2da829cf9fd3d4901e8131c2ae32b679
: end
Configuration of remote desktop-
ASA Version 8.4 (3)
!
hostname jtfw-lex
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.88.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 173.190.234.138 255.255.255.248
!
passive FTP mode
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
jt-dc01 network object
Home 172.29.88.151
network of the object WAN_jt-dc01
Home 10.8.8.3
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexinton Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
network Jollytech HQ Description
network obj_colo object
172.29.168.0 subnet 255.255.255.0
network of colo Jollytech Description
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle netbios-ssn
inside_access_in tcp extended access list refuse any netbios-ssn eq all idle state
inside_access_in list extended access deny udp any what eq 139 all
inside_access_in list extended access deny udp any any eq 139
inside_access_in tcp extended access list deny any any eq 135
inside_access_in tcp extended access list refuse any eq 135 everything
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any host 10.8.8.3 eq smtp
outside_access_in list extended access permit tcp any host 10.8.8.3 eq pptp
outside_access_in list extended access permit tcp any host 10.8.8.3 eq www
outside_access_in list extended access permit tcp any host 10.8.8.3 eq https
outside_access_in list extended access permit tcp any host 10.8.8.3 eq 3389
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
access extensive list ip 172.29.88.0 outside_cryptomap allow 255.255.255.0 object obj_HQ
permit access list extended ip object obj_lex object obj_colo outside_cryptomap
Standard access list VPN_Tunnel_user allow 172.29.88.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 172.29.8.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 172.29.168.0 255.255.255.0
Standard access list VPN_Tunnel_user allow 192.168.88.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool jolly_lex_DHCP 192.168.88.100 - 192.168.88.120 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT WAN_jt-dc01 service (Interior, exterior) source static jt-dc01 RDP RDP
NAT static (inside, outside) source JT_WWW JT_WWW WAN_jt-dc01 jt-dc01 service
NAT (inside, outside) source obj_lex destination obj_lex static static obj_HQ obj_HQ-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 173.190.234.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 172.29.88.0 255.255.255.0 inside
SNMP-server host within the 172.29.88.30 community * version 2 c
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_set ikev1
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.111.222.140
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.88.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 172.29.88.50 - 172.29.88.100 inside
dhcpd dns 172.29.8.3 166.102.165.11 interface inside
dhcpd jollytech.local area inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy_173.164.222.140 group strategy
attributes of Group Policy GroupPolicy_173.164.222.140
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who has encrypted password JOYSoaqW4x32VHKB
tunnel-group 173.111.222.140 type ipsec-l2l
tunnel-group 173.111.222.140 general-attributes
Group - default policy - GroupPolicy_173.164.222.140
IPSec-attributes tunnel-group 173.111.222.140
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:0a0cf040a1f0f979ff55f0ef7e15c452
: end
Configuration Colo-
ASA Version 8.4 (3)
!
hostname jtfw-colo
domain jollytech.com
activate the encrypted password of Yr4Jr0JzJxYTTQQu
GCdiui.2NH7n52DU encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 172.29.168.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 111.167.239.218 255.255.255.248
!
passive FTP mode
clock timezone GMT 0
DNS server-group DefaultDNS
domain jollytech.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
service object RDP
source eq 3389 tcp service
SMTP service object
tcp source eq smtp service
service object PPTP
tcp source eq pptp service
service of the JT_WWW object
tcp source eq www service
service of the JT_HTTPS object
tcp source eq https service
network obj_lex object
172.29.88.0 subnet 255.255.255.0
network of offices of Lexington Description
network obj_HQ object
172.29.8.0 subnet 255.255.255.0
network Jollytech HQ Description
guava network object
Home 172.29.8.3
network obj_HQVPN object
192.168.8.0 subnet 255.255.255.0
Description Jollytech HQ VPN network
network of the WAN_111_167_239_220 object
Home 111.167.239.220
jt-dc01 network object
Home 172.29.168.3
jt-exch2010 network object
Home 172.29.168.25
network obj_colo object
172.29.168.0 subnet 255.255.255.0
network of colo Jollytech Description
network of the object RC_jt-r610
Home 172.29.168.8
network of the WAN_111_167_239_221 object
Home 111.167.239.221
inside_access_in list extended access permit icmp any one
inside_access_in tcp extended access list deny any any eq idle 135
inside_access_in tcp extended access list refuse any eq 135 all idle state
inside_access_in list extended access deny udp any what eq 135 everything
inside_access_in list extended access deny udp any any eq 135
inside_access_in tcp extended access list deny any any eq 1591
inside_access_in tcp extended access list refuse any eq 1591 everything
inside_access_in list extended access deny udp any eq which 1591 everything
inside_access_in list extended access deny udp any any eq 1591
inside_access_in tcp extended access list deny any any eq 1214
inside_access_in tcp extended access list refuse any eq 1214 all
inside_access_in list extended access deny udp any any eq 1214
inside_access_in list extended access deny udp any what eq 1214 all
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit tcp any eq www everything
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq 3389
outside_access_in list extended access permit tcp any object WAN_198_167_239_220 eq www
outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_220
outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq www
outside_access_in list extended access permit tcp any object https eq WAN_198_167_239_221
outside_access_in list extended access permit tcp any object WAN_198_167_239_221 eq 3389
outside_access_in of access allowed any ip an extended list
inside_access_out list extended access permit icmp any one
inside_access_out of access allowed any ip an extended list
permit access list extended ip object obj_colo object obj_HQ outside_cryptomap
permit access list extended ip object obj_colo object obj_lex outside_cryptomap
pager lines 24
Enable logging
asdm of logging of information
address record [email protected] / * /
exploitation forest-address recipient [email protected] / * / level of errors
host of logging inside the 172.29.168.89
Within 1500 MTU
Outside 1500 MTU
mask 192.168.168.100 - 192.168.168.110 255.255.255.0 IP local pool Jolly_coloVPN_DHCP
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
NAT of the service interface to the Shared source (internal, external) JT_WWW JT_WWW RC_jt-r610
NAT of the service interface to the Shared source (internal, external) JT_HTTPS JT_HTTPS RC_jt-r610
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_HTTPS JT_HTTPS
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (internal, external) JT_WWW JT_WWW
NAT service of WAN_111_167_239_220 jt-dc01 Shared source (inside, outside) RDP RDP
NAT service of WAN_111_167_239_221 jt-exch2010 static source (inside, outside) RDP RDP
NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_WWW JT_WWW
NAT source service (Interior, exterior) static jt-exch2010 WAN_111_167_239_221 JT_HTTPS JT_HTTPS
NAT (inside, outside) source obj_colo destination obj_colo static static obj_HQ obj_HQ-route search
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 111.167.239.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 172.29.168.0 255.255.255.0 inside
http 172.29.8.0 255.255.255.0 inside
SNMP-server host within the 172.29.168.89 community * version 2 c
location of SNMP server it Fremont Colo
SNMP Server contact [email protected] / * /
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_VPN_Set ikev1
Crypto ipsec transform-set esp-3des esp-md5-hmac Remote_vpn_set ikev1
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto-map Dynamics 20 ikev1 transform-set Remote_VPN_Set set outside_dyn_map
Crypto-map dynamic outside_dyn_map 20 the value reverse-road
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 173.111.222.140
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA'RE
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet 172.29.8.0 255.255.255.0 inside
Telnet 172.29.168.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd auto_config off vpnclient-wins-override
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal GroupPolicy_173.111.222.140 group strategy
attributes of Group Policy GroupPolicy_173.111.222.140
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
name of user who encrypted password eicyrfJBrqOaxQvS
tunnel-group 173.111.222.140 type ipsec-l2l
tunnel-group 173.111.222.140 general-attributes
Group - default policy - GroupPolicy_173.111.222.140
IPSec-attributes tunnel-group 173.111.222.140
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
remotely IKEv2 authentication certificate
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the pptp
inspect the ftp
inspect the netbios
!
global service-policy global_policy
172.29.8.3 SMTP server
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:a45d9f3e7b23713c34d13d5a8ac5ece5
: end
Hello
I think that these NAT configurations must change in the ASA HQ
NAT (inside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (inside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
Note that you must configure to use 'inside' and 'outside' interface.
However if two remote sites put an end to the ASA HQ "outside" interface and the traffic between these remote sites (that go through this ASA HQ) actually must a NAT between 'outside' and 'outside '.
You will need to use the (outside, outside) in the NAT configurations.
NAT (outside, outside) source obj_colo destination obj_colo static static obj_lex obj_lex-route search
NAT (outside, outside) source obj_lex destination obj_lex static static obj_colo obj_colo-route search
You could actually be fine with either NAT 2 only two-way configurations as it should.
-Jouni
-
Just set up VPN site-to site for ASA 5515 x and 5505. The tunnel is in place, but could not ping to the other site 5505 and vice versa. This is the condition of the tunnel and ASA configs. Any help or comment is appreciated. Thank you!
ASA5515X # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X
permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 175.141.X.X
#pkts program: 1595, #pkts encrypt: 1595, #pkts digest: 1595
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 1595, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500
Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: FC699E19
current inbound SPI: FFFCF744
SAS of the esp on arrival:
SPI: 0xFFFCF744 (4294768452)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}
slot: 0, id_conn: 462848, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/22042)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0xFC699E19 (4234780185)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}
slot: 0, id_conn: 462848, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914825/22042)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
ASA5515X
ASA Version 9.1 (1)
!
hostname ASA5515X
!
interface GigabitEthernet0/0
Description TIMEFibre
nameif outside
security-level 0
Group Navision PPPoE client vpdn
IP address pppoe setroute
!
interface GigabitEthernet0/1
Description internal LAN
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
the IP 10.0.0.1 255.255.255.0
!
passive FTP mode
DNS lookup field inside
DNS server-group DefaultDNS
Name-Server 8.8.8.8
192.168.0.10 server name
network of the SVR001 object
host 192.168.0.13
Hyper-V server description
network of the SVR002 object
host 192.168.0.12
Server SQL Description
network of the SVR003 object
host 192.168.0.10
Domain controller description
network of the SVR004 object
host 192.168.0.11
Server Terminal server Description
network of the local object
192.168.0.0 subnet 255.255.255.0
MFW description
object remote-A network
subnet 192.168.1.0 255.255.255.0
FWSG description
the network remote-B object
Subnet 192.168.2.0 255.255.255.0
FWWW description
network remote-C object
subnet 192.168.3.0 255.255.255.0
Description FWFM
network remote-D object
subnet 192.168.4.0 255.255.255.0
Description PGRHF
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
outside_cryptomap_10 list extended access permitted ip object local object at distance-B
inside_access_in list extended access allow TCPUDP of object-group a
inside_access_in list extended access allowed icmp any4 no echo
outside_access_in list extended access allow TCPUDP of object-group a
inside_authentication list extended access permit tcp any any eq ssh
pager lines 24
Enable logging
timestamp of the record
debug logging in buffered memory
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) source destination local local static static remote-A distance-A non-proxy-arp-search of route inactive
NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary
!
network of the SVR001 object
NAT (all, outside) interface static service tcp 3389 50013
network of the SVR002 object
NAT (all, outside) interface static service tcp 3389 50012
network of the SVR003 object
NAT (all, outside) interface static service tcp 3389 50010
network of the SVR004 object
NAT (all, outside) interface static service tcp 3389 50011
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 211.24.199.129 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication match inside_authentication indoor
LOCAL AAA authorization command
Enable http server
http 10.0.0.0 255.255.255.0 management
inside http authentication certificate
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 10 correspondence address outside_cryptomap_10
card crypto outside_map pfs set 10 Group1
crypto outside_map 10 peer 175.141.X.X card game
card crypto outside_map 10 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
VPDN group navision request dialout pppoe
VPDN group navision localname [email protected] / * /
VPDN group navision ppp authentication pap
VPDN username [email protected] / * / password * local store
dhcpd address 192.168.0.100 - 192.168.0.200 inside
dhcpd 192.168.0.10 dns 8.8.8.8 interface inside
interface of victories 192.168.0.10 dhcpd inside
dhcpd allow inside
!
management of 10.0.0.100 - dhcpd addresses 10.0.0.110
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
tunnel-group 175.141.X.X type ipsec-l2l
IPSec-attributes tunnel-group 175.141.X.X
IKEv1 pre-shared-key *.
!
ICMP-class class-map
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map icmp_policy
icmp category
inspect the icmp
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
service-policy icmp_policy to the inside interface
context of prompt hostname
(Behind a router)
ASA5505 # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 1, local addr: 172.16.10.200
outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 211.24.X.X
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 1539, #pkts decrypt: 1539, #pkts check: 1539
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 172.16.10.200/4500, remote Start crypto. : 211.24.X.X/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: FFFCF744
current inbound SPI: FC699E19
SAS of the esp on arrival:
SPI: 0xFC699E19 (4234780185)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}
slot: 0, id_conn: 348160, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4373831/22284)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xFFFCF744 (4294768452)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1}
slot: 0, id_conn: 348160, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4374000/22284)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
ASA5505
ASA Version 8.2 (5)
!
ASA5505 hostname
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 172.16.10.200 255.255.255.0
!
interface Vlan3
no interface before Vlan2
nameif management
security-level 0
the IP 10.0.0.1 255.255.255.0
management only
!
passive FTP mode
outside_1_cryptomap to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
Enable logging
timestamp of the record
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.2.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer 211.24.X.X
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 192.168.2.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.2.100 - 192.168.2.130 inside
dhcpd 192.168.2.1 dns 8.8.8.8 interface inside
dhcpd allow inside
!
management of 10.0.0.100 - dhcpd addresses 10.0.0.110
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 211.24.X.X type ipsec-l2l
IPSec-attributes tunnel-group 211.24.X.X
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Update:
Traffic to the other end is abandoned by the implicit rule, but there is already an access list configured No.?
ASA5515X # sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 10, local addr: 211.24.X.X
permit access ip 192.168.0.0 scope list outside_cryptomap_10 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.0.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 175.141.X.X
#pkts program: 30188, #pkts encrypt: 30188, #pkts digest: 30188
#pkts decaps: 25550, #pkts decrypt: 25550, #pkts check: 25550
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 30188, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 211.24.X.X/4500, remote Start crypto. : 175.141.X.X/4500
Path mtu 1492, ipsec 66 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: 7D03CD30
current inbound SPI: B2B16E15
SAS of the esp on arrival:
SPI: 0xB2B16E15 (2997972501)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}
slot: 0, id_conn: 516096, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4371272/24996)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0x7D03CD30 (2097401136)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T-programme, PFS Group1, IKEv1}
slot: 0, id_conn: 516096, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (4367450/24996)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
ASA5515X # entry packet - trace within the icmp 192.168.0.1 0 8 detailed 192.168.2.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x7fff2a320c70, priority = 1, domain = allowed, deny = false
hits = 3417800, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = output_ifc = any to inside,
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 0.0.0.0 0.0.0.0 outdoors
Phase: 3
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) source destination local local static static remote-B remote-B non-proxy-arp-search to itinerary
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.2.1/0 to 192.168.2.1/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DECLINE
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0x7fff2a2b5580, priority = 500, area = allowed, deny = true
hits = 6, user_data = 0 x 6, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.0.1 SRC, mask = 255.255.255.255, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = dscp 0 = 0 x 0
input_ifc = output_ifc = any to inside,
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: drop
Drop-reason: flow (acl-drop) is denied by the configured rule
Hello
I noticed that you are using the wrong format of the command "packet - trace" actually
entry Packet-trace within the icmp 8 0
And with regard to the external ACL ASA5505. But there is not a need that by default the ASA allows all incoming traffic from the VPN to bypass the ACL interface. I don't see the configuration with the command would change this default behavior.
You can issue the "package Tracker" with the right Type / Code above. You had the wrong way around the original order.
Could you also test the traffic between the real hosts and not the ASAs. Although the traffic between a host and the remote ASA 'inside' IP address should also work.
Regarding the above, it seems that you also changed the rules of default control on the unit of ASA5515-X, since it is not fastened on a global scale, but "inside" interface. Not sure if it has an effect, but I usually do not need to change the default value.
-Jouni
-
IPsec site to Site VPN on Wi - Fi router
Hello!
Can someone tell me if there is a router Netgear Wi - Fi that can form IPsec Site to Site VPN connection between 2 Wi - Fi routers via the WAN connection?
I know that this feature exists on the Netgear firewall, but can you have the same function on any Wi - Fi router?
See you soon!
Michael
I suspect that.
Thank you very much for the reply.
See you soon!
-
Site to site VPN works only on Cisco 881
I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error:
destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table
192.168.2.0I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection.
My question is how I can get internet on vlan2 and who can I solve the connection to site to site.
Here's the running configuration:
Building configuration...
Current configuration: 12698 bytes
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is reserved for administrators of control systems.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the fieldThis area is limited to the PALL access only.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Support on continue to start your session. ^ C
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------Unplug IMMEDIATELY if you are not an authorized user
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
endThank you.
It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution.
Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router.
- http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418...
Disable any ZBF just in case.
David Castro,
Kind regards
-
Hello
I was wondering is it possible to create a backup for my site to site VPN connection? the remote end has a cisco router whiich currently has an an ASA 5500 VPN connection. How would I know set up the same router to use another VPN on a different ASA the ASA 5500 5500 shouldn't work? Putting simply add another address peer on the ISAKMP policy will or do I have to create a new card encryption or is it just not possible?
Thank you for your help in advance.
On the side of the router, it takes work to have a second defined peer in the isakmp policy and even the crypto map set. I might want to set up a second instance within your existing crypto card to put in place a second tunnel that would go toward the other ASA. I implemented a certain remote sites of customer with two tunnels to provide failover capability and two instances within the route card works fine.
HTH
Rick
-
Hello
I have created a new site to site vpn connection and can't know why it does not work.
All other VPN site-to-site work properly. The news, the problem is MATCHJLS. Could anyone recommend measures to correct?
!
vpn hostname
domain name
activate the encrypted password of Pp6RUfdBBUU
ucU7iJnNlZ passwd / encrypted
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
IP address 87.117.xxx.xx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
IP address 78.129.xxx.x 255.255.255.128
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
No nameif
no level of security
no ip address
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain msiuk.com
permit same-security-traffic inter-interface
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
EQ object of port 8080
port-object eq www
EQ object of the https port
Http81 tcp service object-group
port-object eq 81
DM_INLINE_TCP_3 tcp service object-group
port-object eq 81
port-object eq www
the DM_INLINE_NETWORK_1 object-group network
host of the object-Network 172.19.60.52
host of the object-Network 172.19.60.53
host of the object-Network 172.19.60.68
host of the object-Network 172.19.60.69
host of the object-Network 172.19.60.84
host of the object-Network 172.19.60.85
host of the object-Network 172.19.60.86
access-list extended basic permit icmp any any echo response
access-list extended basic permit icmp any one time exceed
access-list extended basic permit tcp any host 78.129.xxx.xx eq 8731
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx DM_INLINE_TCP_3 object-group
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq www inactive
access-list extended basic permit tcp any host 78.129.xxx.xx eq www
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx eq https
access-list extended basic permit tcp any host 78.129.xxx.xx
permit access-list extended basic host tcp 94.128.xxx.xx 78.129.xxx.xx 255.255.255.128 DM_INLINE_TCP_1 object-group
access-list extended SHEEP allowed ip 10.1.1.0 255.255.255.0 10.255.255.0 255.255.255.0
Standard access list SPLITTUN allow 78.129.xxx.xx 255.255.255.128
SPLITTUN list standard access allowed 10.1.1.0 255.255.255.0
access list allow extended permit ip any one
MATCHVPN1 list extended access permit ip host host 78.129.xxx.xx 212.118.157.203
MATCHVPN2 list of allowed ip extended access all 212.118.xxx.xx 255.255.255.0
SMTP-NAT extended permit tcp host 78.129.xxx.xx access list any eq smtp
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN3 list extended access permitted ip 78.129.xxx.xx 255.255.255.224 host 10.180.xxx.xx
MATCHVPN4 list extended access permit ip host 78.129.xxx.xx host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.17.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
MATCHVPN4 list extended access permitted ip 78.129.xxx.xx 255.255.255.248 host 172.16.xxx.xx
Access list extended ip 78.129.151.0 MATCHJLS allow 255.255.255.128 DM_INLINE_NETWORK_1 object-group
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local IP LOCPOOL 10.255.255.1 pool - 10.255.255.254
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (inside) 0 access-list SHEEP
Access SMTP-NAT NAT (inside) 1 list
NAT (inside) 1 10.1.1.0 255.255.255.0
NAT (inside) 1 10.2.2.0 255.255.255.0
Access-group basic in external interface
Access-group allow external interface
Access-group allow the interface inside
Access-group allow the interface inside
Route outside 0.0.0.0 0.0.0.0 87.117.213.65 1
Route inside 10.1.1.0 255.255.255.0 78.129.151.2 1
Route inside 10.2.2.0 255.255.255.0 78.129.151.2 1
Route inside 10.33.67.0 255.255.255.0 78.129.151.26 1
Route 172.20.xxx.xx 255.255.255.0 inside 78.129.xxx.xx 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN3DES
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac asa2transform
Crypto ipsec transform-set esp-3des esp-md5-hmac kwset
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac jlstransformset
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
set of 10 DYNOMAP crypto dynamic-map transform-set VPN3DES
card crypto VPNPEER 1 corresponds to the address MATCHJLS
card crypto VPNPEER 1 set peer 94.128.xxx.xx
card crypto VPNPEER 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto VPNPEER 10 corresponds to the address MATCHVPN3
card crypto VPNPEER 10 set peer 94.128.xxx.xx
crypto VPNPEER 10 the transform-set jlstransformset value card
card crypto VPNPEER 10 set nat-t-disable
card crypto VPNPEER 30 corresponds to the address MATCHVPN2
card crypto VPNPEER 30 212.118.xxx.xx peer value
card crypto VPNPEER 30 value transform-set ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto VPNPEER 30 the value reverse-road map
card crypto VPNPEER 40 corresponds to the address MATCHVPN4
VPNPEER 40 crypto map set peer 94.128.xxx.xx
crypto VPNPEER 40 the transform-set kwset value card
card crypto VPNPEER 50 corresponds to the address MATCHVPN3
card crypto VPNPEER 50 set pfs
card crypto VPNPEER 50 set peer 94.128.xxx.xx
card crypto VPNPEER 50 set ESP ESP-3DES-SHA transform-set kwset DES-ESP-MD5-DES-SHA
card crypto VPNPEER 50 set nat-t-disable
card crypto VPNPEER 100-isakmp dynamic ipsec DYNOMAP
VPNPEER interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 3600
crypto ISAKMP disconnect - notify
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 60
SSH version 2
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal GroupPolicy1 group strategy
attributes of Group Policy GroupPolicy1
value of VPN-filter MATCHKW
Protocol-tunnel-VPN IPSec l2tp ipsec
internal CLIENTGROUP group policy
CLIENTGROUP group policy attributes
value of server DNS 10.1.1.10 10.1.1.2
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SPLITTUN
msiuk.local value by default-field
Username admin privilege 15 encrypted password 9RG9xAvynJRd.Q
tunnel-group msi type remote access
msi General attributes tunnel-group
address LOCPOOL pool
Group Policy - by default-CLIENTGROUP
MSI group tunnel ipsec-attributes
pre-shared key *.
tunnel-group msi ppp-attributes
ms-chap-v2 authentication
tunnel-group 212.118.xxx.xx type ipsec-l2l
212.118.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
tunnel-group 94.128.xxx.xx type ipsec-l2l
94.128.xxx.XX group of tunnel ipsec-attributes
pre-shared key *.
!
class-map ftpdefault
match default-inspection-traffic
class-map default inspection
!
!
Policy-map global_policy
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:b251877ef24a1dc161b594dc052c44
: end
ASDM image disk0: / asdm-625 - 53.bin
don't allow no asdm history
Hello
OK, given the above information, I would say that the VPN L2L your part should probably be fine for traffic you are trying with the packet - trace.
It seems that you get no traffic back from the remote end
This could mean one of the following things
- Remote site may not login either in their VPN appliance, firewall or the firewall of the real server (which I doubt since were talking about web service)
- Remote site has not configured routing properly for your source IP address / network. For example, your connection attempt can reach the remote server, but the return traffic could get transferred to the wrong place on the remote site. It is more likely when the remote end manages Internet traffic and VPN traffic on separate devices
- Remote site has not activated the service on the real server (which is still little provided this isn't a service only serve on the server you through this VPN L2L)
- etc.
As I said look it seems so VPN L2L is fine. Its place and running, but you can't get traffic back on the L2L VPN that suggest that the problem is at the remote site.
If you go ask about this since the admins of the remote site, let us know how to do the thing.
If you found this information useful, please note the answer/answers and naturally ask more if necessary
-Jouni
-
Redundancy of site to Site VPN
Hello
I have two ASA 5510 configured with tunnel from site to site. on both sides of the ASA 5510 I set up the links of redundancy (completed 2 ISP links) which works very well.
Now, I need to configure site-to-site vpn for the help link.
Please suggest me how to configure the redundancy of a site on both sites.
Kind regards
Ramanantsoa
I don't know exactly the topology of your network, but it is possible to define two peers for site-to-site VPN connection. You can do this in
toSanJose 20 ipsec-isakmp crypto map
correspondence address card crypto 20 90 toSanJose
toSanJose 20 set transformation-strong crypto card
card crypto toSanJose 20 peers set 209.165.200.229 125.126.127.22
The first pair is always given priority, in case if it is not available it failovers exchange of a second.
It will be useful.
Kind regards
Rohan
-
connect dynamic auto of site to site VPN
Hi all, I need to configure a site to site vpn (cisco asa and router), but the connection to the remote router must be set to auto.
Can someone help me?
Thank you
All have two IP addresses static or is on a dynamic ip?
Please clarify what you mean by "auto".
-
Connectivity between two site to site VPN
I have two remote sites that each connect to our main office using a site to site VPN. Remote offices have 831 routers. The main office has a PIX 515.
A remote office is 192.168.15.X and the other is 192.168.100.X. The main office is on a 10.X.X.X network.
Each remote office can contact the office with no problems. However, they cannot communicate with each other at all and I need this to work. I just want to be able to access the network 192.168.100.X network 192.168.15.X through the VPN tunnel that is already set up between each remote desktop.
I tried to add the other network to the ACL for the tunnel, but that did not work. I feel I'm missing something simple.
For example, the following ACL initially.
Note access-list 103 IPSec rule
access-list 103 allow ip 192.168.15.0 0.0.0.255 10.0.0.0 0.255.255.255
I added this line to this LIST.
access-list 103 allow ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255
But that did not help.
Thanks in advance.
Hello
What code are you running on the Pix. Talk to talk IPSEC connectivity is supported only in version 7.0 and higher.
Enhanced support has spoke-to-Spoke VPN
Version 7.0 (1) improving support communications a spoke-to-spoke (customer-to-customer) VPN, providing the ability to traffic to enter and exit the same interface. In addition, remote access to splitting tunnel connections can be completed on the external interface of the security apparatus, enabling traffic destined to the Internet for remote user VPN tunnels to leave on the same interface as it happened (after that the firewall rules have been applied).
The same-security-traffic command permits traffic to enter and exit the same interface when it is used with the keyword a spoke-to-spoke VPN using intra-interface. For more information, see the section "Allows Intra-Interface traffic" in the in the command line Configuration Guide Cisco Security Appliance.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_70/70_rn/pix_70rn.htm#wp162358
Example of Configuration:
Let me know if it helps.
Kind regards
Arul
* Please note all useful messages *.
-
VPN clients connecting to the site to site VPN
Hi all
I'm currently configured my firewall outside interface VPN closing the point for two clients VPN and Cisco VPN site-to-site. What I found is that when I Client VPN, I can't access the devices on the site-to-site VPN. I think that the PIX does not allow this kind of connections, because it requires routing on the same interface. Can someone point me to some docs on ORC who can help me in this situation. Thanks in advance for your help.
the restriction has been resolved with pix v7, and the related command is "permit same-security-traffic intra-interface".
-
AnyConnect VPN connection VPN site access to remote site
I need our VPN users to gain access to our remote site (Site to Site VPN), there is no problem to access the main site through the VPN. Crypto map sites have the VPN pool in the card encryption.
Any ideas?
Here is the main Site (ASA5520) config inside 192.168.50.0
crypto_vpn_remote-site access-list extended ip 192.168.50.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
IP 192.168.99.0 allow Access-list extended site crypto_vpn_remote 255.255.255.0 172.16.1.0 255.255.255.0
inside_nat0_outbound to access extended list ip 192.168.50.0 allow 255.255.255.0 172.16.1.0 255.255.255.0
access extensive list ip 192.168.99.0 inside_nat0_outbound allow 255.255.255.0 172.16.1.0 255.255.255.0
Remote site (PIX 515E) inside 172.16.1.0
access-list crypto_vpn_main-site permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list crypto_vpn_main-site permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list sheep permit ip 172.16.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list sheep permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
VPN (AnnyConnect) 192.168.99.0
On the main site, pls make sure that you have 'same-security-traffic permit intra-interface' active.
Also, if you have split tunnel configured, please also make sure that he understands the Remote LAN (172.16.1.0/24).
Hope that helps.
Maybe you are looking for
-
Search button does not work on the start page
When I get home the point I want to search i.e. Griffin vulture in the search bar in the center of the home page and then click on the button Search to the right of the bar, that nothing happens
-
I have a compaq presario CQ 5720F Windows 7, I can't open my desktop shortcuts (only a little). E-mail & games will not... A notice appears saying that it is a problem of the internet and the problem of "http" but do not understand this. Yesterday, I
-
Backup files Vista - "Windows could not find any backup sets [file path]."
I have a Vista computer. The hard drive broke so until I replaced it I backed up all the files on the computer to another computer running Windows 7. I did it in the backup and Restore Center. I made a backup of files, not a full backup of the syst
-
Windows Vista takes a long time to close dowh
It takes a lot of time for my copy of Windows Vista to stop
-
Does anyone know how to make your email account for screen shared with Office? For example, if I have a document in Word I want to send as an attachment, is there a way to have the word split with my email screen?