Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
Tags: Cisco Security
Similar Questions
-
Configuration of Site VPN connection to another via GRE Tunnels
I am trying to connect VPN site to site on the internet using GRE tunnels. I am able to reach from a WAN interface to another. But I am not able to get the ISAKMP and IPSec to work. Below the configuration and a simplified below flowchart. In the scenario below, I am also running BGP between these routers. The BGP neighbor-ships are trained through the tunnels. But I want traffic between tunnels to encrypt. IPsec and ISAKMP not running BGP routes and other traffic is not encrypted.
This is why I would like to know what could the reason for this.
Router config VPN 1
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================
Router config VPN 2
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================
Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.
crypto ISAKMP policy 10 aes encryption sha hash preshared authentication Group 5 cisco crypto isakmp key address Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT Profile of crypto ipsec MYPROFILE transformation-RIGHT game interface tunnel 10 Unnumbered IP gig0/0 tunnel source gig0/0 tunnel destination ipv4 ipsec tunnel mode Profile of tunnel MYPROFILE ipsec protection --
Please do not forget to select a correct answer and rate useful posts
-
Site-to-Site VPN - road on ASA (8.4.2)
ASA-SiteA-
Outside the int: 4,5,6,7
inside the int: 10.1.1.1
DMZ:192.168.0.1 255.255.255.0
National-SiteA routes-
Route outside 0.0.0.0 0.0.0.0 4,5,6,7 - road by default
Route inside 172.10.1.0 255.255.255.0 10.1.1.1 - road join the ASA-SiteB-inside interface
ASA-SiteB-
Int - 50.1.2.3 outdoor
inside the int: 172.10.1.1
DMZ:192.168.87.1 255.255.255.0
routes on ASA-SiteB-
Route outside 0.0.0.0 0.0.0.0 50.1.2.3 - road by default
Route inside 10.1.1.0 255.255.255.0 172.10.1.1 - road join the ASA-SiteA-inside interface
Inside the two ASAs interfaces can communicate with each other through circuits MPLS. We want to create a VPN tunnel between two DMZ networks so that traffic passes through a tunnel through the local network. You can check the config below and indicate if any changes are needed.
1 tunnel VPN to work, not the traffic must match a route on the ASA or simply to match the access-list(interesting traffic) for example after the configuration of the VPN tunnel between 192.168.0.0 and 192.168.87.0 networks when I ping 192.168.87.1 route IP made it reveal the tunnel because it fits to the interesting traffic or packets go to 4,5,6,7 where they correspond to the default?
2. virtue normal Site VPN to Site traffic scenarios run on high security interface (DMZ or inside) and goes to the interface (outside) low security, but in the case above traffic intiates on low security interface (DMZ) and goes to the high safety (inside) interface which usually gets blocked unless there is an access list entry to allow that traffic. We must therefore have an IP address a whole (on the access list applied to UI in DMZ) entered between the two dmz networks
Config on ASA-SiteA-
Political IKEv1
ASA - SiteA (config) #crypto ikev1 allow inside - Does allowing ikev1 on UI interrupts traffic?
Ikev1 crypto policy of ASA - SiteA (config) # 100
ASA - SiteA(config-ikev1-policy) preshared #authentication
ASA - SiteA(config-ikev1-policy) #encryption 3des
ASA - SiteA(config-ikev1-policy) #hash sha
ASA - SiteA(config-ikev1-policy) #group 2
ASA - SiteA(config-ikev1-policy) #lifetime 86400
IPSEC tunnel
ASA - SiteA (config) # crypto ipsec ikev1 transform-set VPN MPLS esp-3des esp-sha-hmac
ASA - SiteA(cfg-crypto-trans) #mode transport
Tunnel group
ASA - SiteA (config) # tunnel - group172.10.1.1 type ipsec-l2l
ASA - SiteA (config) # group172.10.1.1 - tunnel ipsec-attributes
ASA - SiteA(config-tunnel-ipsec) # test pre-shared key
Interesting traffic
ASA - SiteA (config) #object Network Site-A-DMZ
ASA - SiteA(config-network-object) #subnet 192.168.0.0 255.255.255.0
ASA - SiteA (config) #object Network Site-B-DMZ
ASA - SiteA(config-network-object) #subnet 192.168.87.0 255.255.255.0
ASA - SiteA (config) #access - list - INTERESTING - VPN TRAFFIC extended permitted ip object SN-A-Site B-Site-SN
ASA - SiteA (config) #nat (demilitarized zone, inside) static static destination source Site-A-DMZ DMZ-A-Site B-Site-DMZ Site-B-DMZ
Crypto MAP
ASA - SiteA (config) # 100 LAN VPN ipsec-isakmp crypto map
ASA - SiteA(config-crypto-map) # address of correspondence-INTERESTING-TRAFFIC VPN
ASA - SiteA(config-crypto-map) # set pfs group2ASA - SiteA(config-crypto-map) #set peer 172.10.1.1
ASA - SiteA(config-crypto-map) #set transform-set ESP-3DES-SHA
ASA - SiteA(config-crypto-map) #crypto interface of VPN - LAN card inside
Yes, you need the correct route otherwise it will be just forwarded through the default gateway.
So, on A Site, you should have:
Route inside 192.168.87.0 255.255.255.0 10.1.1.x--> x should be the next jump of the SAA within the interface
On Site B, you should have:
Route inside 192.168.0.0 255.255.255.0 172.10.1.x--> x should be the next jump of the SAA within the interface
Delete "transport mode" of two ASA.
To answer your questions:
1. Yes, it would be necessary to match a route, otherwise it will be routed through the default gateway.
2. Yes, you must have access-list to allow high traffic of low level of security. If you want a full IP access, you can configure IP allowed between 2 LANs.
-
Port of filter IPsec site to site VPN
Hello guys!
I have configured a VPN Site to Site, as follows: (for the access list)
Local: 192.168.0.0/24
Distance: 10.0.0.0/24
So, I have this configuration:
VPN-Test line 1 permit access list extended ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
But I would like to leave just tcp/80 on my remote to connect to my Local. (because now 10.0.0.0/24 accesses all in my 192.168.0.0/24)
How can I do? (I tried to change the list of access VPN-Test under ASDM, Configuration, ACL Manager, but no way)
I should create a rule in the external interface, such as:
Source: 10.0.0.0/24
DST: 192.168.0.0/24
Protocol: tcp/80
How can I do?
Thank you
Diego
By default, the external ACL is not evaluated for VPN traffic. Instead, you configure a new ACL that is applied as a "vpn-filter' to the group policy for your connection.
access-list VPN-FILTER-XXX permit tcp any any eq 80 ! group-policy GP-VPN-XXX attributes vpn-filter value VPN-FILTER-XXX ! tunnel-group a.b.c.d type general-attributes default-group-policy GP-VPN-XXX
In the ACL, you need not specify the networks, as the tunnel cannot carry anything other what is specified in the crypto-ACL. But of course you can enter them if you want to:
access-list VPN-FILTER-XXX permit tcp 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80
-
Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170
I'm trying to implement a VPN site-to site between our data center and office. The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170. I managed to configure the two so that the vpn connects. Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop. Can anyone help?
The config below has had IPs/passwords has changed.
External Datacenter: 1.1.1.4
External office: 1.1.1.1
Internal data center: 10.5.0.1/24
Internal office: 10.10.0.1/24
: Saved
:
ASA Version 8.2 (1)
!
hostname datacenterfirewall
mydomain.tld domain name
activate thepassword encrypted
passwdencrypted
names of
name 10.10.0.0 OfficeNetwork
10.5.0.0 DatacenterNetwork name
!
interface Vlan1
nameif inside
security-level 100
10.5.0.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
1.1.1.4 IP address 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
buydomains.com domain name
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
inside_access_in list extended access permit icmp any one
inside_access_in list extended access permitted tcp a whole
inside_access_in list extended access udp allowed a whole
inside_access_in of access allowed any ip an extended list
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq isakmp
IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 623.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.5.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
Crypto dynamic-map ciscopix 1 transform-set walthamoffice
Crypto dynamic-map ciscopix 1 the value reverse-road
map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
dynmaptosw interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 13
preshared authentication
aes-256 encryption
sha hash
Group 2
lifetime 28800
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.5.0.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.5.0.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
management-access inside
dhcpd address 10.5.0.2 - 10.5.0.254 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 66.250.45.2 source outdoors
NTP server 72.18.205.157 source outdoors
NTP server 208.53.158.34 source outdoors
WebVPN
attributes of Group Policy DfltGrpPolicy
VPN-idle-timeout no
username admin passwordencrypted
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
!
context of prompt hostname
Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
: endMattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.
Add the statement of rule sheep in asa and try again.
NAT (inside) 0-list of access pixtosw
Concerning
-
Site to site VPN upward but not pass traffic (ASA 5505 8.3.1 and 9.2.3 version)
Hello
I'll put up a tunnel vpn site-to-site between two locations. Both have cisco ASA 5505 running a different version, I'll explain in more detail below. so far, I was able to get the tunnel to come but I can't seem to pass traffic, I work at this for days now and have not been able to understand why he will not pass traffic. Needless to say that the customer's PO would be on the fact that their VPN is not upward and they had to do by hand. I'll put the configs below, if possible can someone help me as soon as POSSIBLE, I really want to get this site up and running so that we do not lose the customer.
An IP address of 0.0.0.0 = site
Site B IP = 1.1.1.1A Version of the site = 8.3.1
Version of the site B = 9.2.3__________________________
_________A RACE OF THE SITE CONFIGURATION
Output of the command: "sh run".
: Saved
:
ASA Version 8.3 (1)
!
hostname SDMCLNASA01
SDMCLNASA01 domain name. LOCAL
Select 5E8js/Fs7qxjxWdp of encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
the IP 0.0.0.0 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
SDMCLNASA01 domain name. LOCAL
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network lan_internal object
192.168.0.0 subnet 255.255.255.0
purpose of the smtp network
Home 192.168.0.245
Network http object
Home 192.168.0.245
rdp network object
Home 192.168.0.245
network ssl object
Home 192.168.0.245
network camera_1 object
host 192.168.0.13
network camerahttp object
host 192.168.0.13
service object 8081
source eq 8081 destination eq 8081 tcp service
Dvr description
network camera-http object
host 192.168.0.13
network dvr-http object
host 192.168.0.13
network dvr-mediaport object
host 192.168.0.13
object-group Protocol DM_INLINE_PROTOCOL_1
object-protocol udp
object-tcp protocol
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
DM_INLINE_TCP_1 tcp service object-group
EQ port 3389 object
port-object eq www
EQ object of the https port
EQ smtp port object
DM_INLINE_TCP_2 tcp service object-group
port-object eq 34567
port-object eq 34599
EQ port 8081 object
permit access ip 192.168.0.0 scope list outside_1_cryptomap 255.255.255.0 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq smtp
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_1 object-group
outside_access_in list extended access permit tcp any any DM_INLINE_TCP_2 object-group
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
!
network lan_internal object
NAT dynamic interface (indoor, outdoor)
purpose of the smtp network
NAT (all, outside) interface static tcp smtp smtp service
Network http object
NAT (all, outside) interface static tcp www www service
rdp network object
NAT (all, outside) interface static service tcp 3389 3389
network ssl object
NAT (all, outside) interface static tcp https https service
network dvr-http object
NAT (all, outside) interface static 8081 8081 tcp service
network dvr-mediaport object
NAT (all, outside) interface static 34567 34567 tcp service
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.42.194.209 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
http server enable 8080
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 outside
http 71.40.221.136 255.255.255.252 inside
http 71.40.221.136 255.255.255.252 outside
http 192.168.0.0 255.255.255.0 outside
http 97.79.197.42 255.255.255.255 inside
http 97.79.197.42 255.255.255.255 outside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set peer 1.1.1.1
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.0.50 - 192.168.0.150 inside
dhcpd dns 192.168.0.245 209.18.47.62 interface inside
dhcpd SDMCLNASA01 field. LOCAL inside interface
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared key *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:462428c25e9748896e98863f2d8aeee7
: end________________________________
SITE B RUNNING CONFIG
Output of the command: "sh run".
: Saved
:
: Serial number: JMX1635Z1BV
: Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
:
ASA Version 9.2 (3)
!
ciscoasa hostname
activate qddbwnZVxqYXToV9 encrypted password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 1.1.1.1 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network camera_http object
host 192.168.1.13
network camera_media object
host 192.168.1.13
network of the NETWORK_OBJ_192.168.0.0_24 object
192.168.0.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
outside_access_in list extended access permit tcp any any eq 9000
outside_access_in list extended access permit tcp any any eq www
outside_access_in list extended access permit icmp any one
outside_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 object NETWORK_OBJ_192.168.0.0_24
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ASDM image disk0: / asdm - 732.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static static source NETWORK_OBJ_192.168.0.0_24 destination NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.0.0_24
NAT (exterior, Interior) static static source NETWORK_OBJ_192.168.1.0_24 destination NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.1.0_24
!
network camera_http object
NAT (all, outside) interface static tcp www www service
network camera_media object
NAT (all, outside) interface static 9000 9000 tcp service
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.40.221.137 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 peer set 0.0.0.0
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev1 allow outside
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd address 192.168.1.50 - 192.168.1.150 inside
dhcpd dns 192.168.0.245 209.18.47.61 interface inside
dhcpd SDPHARR field. LOCAL inside interface
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol
internal GroupPolicy_0.0.0.0 group strategy
attributes of Group Policy GroupPolicy_0.0.0.0
VPN-tunnel-Protocol ikev1, ikev2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
!
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:19031ab1e3bae21d7cc8319fb7ecf0eb
: endSorry my mistake.
Delete this if it's still there
card crypto external_map 1 the value reverse-road
Add this to both sides
card crypto outside_map 1 the value reverse-road
Sorry about that.
Mike
-
fall of site to site vpn icmp packets
Hello
I test site to site vpn between ASA and cisco router with GNS3, topology is base the tunnel is up but the question when the remote host ping from both sides it is drops icmp, see router command and ASA do not include droppings. Here is a sample output from ping when I try to remote client ping. any help is appreciated :)
Instant topology is attached, also configs
Thank you
84 bytes from 10.20.20.5 icmp_seq = 59 ttl = 63 times = 79,004 ms
10.20.20.5 icmp_seq = timeout 60
84 bytes from 10.20.20.5 icmp_seq = 61 = ttl 63 times = 70,004 ms
10.20.20.5 icmp_seq = timeout 62
84 bytes from 10.20.20.5 icmp_seq = ttl 63 time = 63 = 59,004 ms
10.20.20.5 icmp_seq = 64 timeout
84 bytes from 10.20.20.5 icmp_seq = 65 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 66
84 bytes from 10.20.20.5 icmp_seq = 67 ttl = 63 times = 59,003 ms
10.20.20.5 icmp_seq = timeout 68
84 bytes from 10.20.20.5 icmp_seq = 69 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 70
84 bytes from 10.20.20.5 icmp_seq = 71 ttl = 63 times = 58,003 ms
10.20.20.5 icmp_seq = timeout 72
84 bytes from 10.20.20.5 icmp_seq = 73 = ttl 63 times = 50,003 ms
10.20.20.5 icmp_seq = timeout 74
84 bytes from 10.20.20.5 icmp_seq = 75 ttl = 63 times = 69,004 ms
10.20.20.5 icmp_seq = timeout 76
84 bytes from 10.20.20.5 icmp_seq = 77 ttl = 63 times = 237,013 ms
10.20.20.5 icmp_seq = timeout 78R1 ipsec crypto #sh her
Interface: FastEthernet0/0
Tag crypto map: map, local addr 100.100.100.2protégé of the vrf: (none)
local ident (addr, mask, prot, port): (10.20.20.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.20.10.0/255.255.255.0/0/0)
current_peer 100.100.100.1 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 14, #pkts encrypt: 14, #pkts digest: 14
decaps #pkts: 28, #pkts decrypt: 28, #pkts check: 28
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsciscoasa # sh crypto isakmp stats
Global statistics IKEv1
The active Tunnels: 1
Previous Tunnels: 1
In bytes: 1384
In the packages: 12
In packs of fall: 0
In Notifys: 8
In the constituencies of P2: 0
In P2 invalid Exchange: 0
In P2 Exchange rejects: 0
Requests for removal in his P2: 0
Bytes: 1576
Packet: 13
Fall packages: 0
NOTIFYs out: 16
Exchanges of P2: 1
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 0
Tunnels of the initiator: 1
Initiator fails: 0
Answering machine fails: 0
Ability system breaks down: 0
AUTH failed: 0
Decrypt failed: 0
Valid hash fails: 0
No failure his: 0Hello
On router R1, you gave the default route as output interface. Instead of using the output interface replace the IP address of the next hop. It will solve the issue of the reduction of ping.
IP route 0.0.0.0 0.0.0.0 FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 100.100.100.1
HTH
"Please note the useful messages and mark the correct answer if it solves the problem."
-
You try to run a Site to site VPN and remote VPN from the same IP remotely
We currently have a site to site VPN configuration between our offices call center and a 3rd party that allows them to access our training to their employees to use environment while being trained on our systems. This tunnel is running between our ASA and their ASA without problem; However, when we have managers come out to the call center, they are unable to use remote VPN to access our office.
Apparently the same IP peer remote that we use for our site to the other tunnel is the same IP that our managers use to access the internet when they are on-site with the customer. When I look at the logs it shows the VPN attempt and then I get treatment Information Exchange has failed. So from what I can understand when our managers are trying to connect to our firewall from the same IP address as the counterpart of site to site it automatically tries to create a tunnel, according to the information of the site to the other tunnel. If our managers are anywhere else, they can connect through remote VPN with no problems.
My question is if anyone knows of a way to make the firewall allow VPN site to site and remote connections with the same remote IP address.
Hi John,.
Basically, in older versions, when you hit a static encryption card and you does not match this static encryption completely map the connection continues until the dynamic encryption card. For this reason, you can connect your IPSec clients before. A bug has been opened on this vulnerability.
CSCuc75090 Details of bug
The crypto IPSec Security Association are created by dynamic crypto map to static peers
Symptom:
When a static VPN peer adds all traffic to the ACL crypto, a surveillance society is based even if the pair IP is not allowed in the acl to the main façade encryption. Are these SA finally put in correspondence and commissioning the dynamic crypto map instance.
Conditions:
It was a planned design since the first day that allowed customers to fall through in the case of static crypto map did not provide a necessary cryptographic services.
The SA must be made from a peer configured statically and a dynamic crypto map instance must be configured on the receiving end.
Workaround solution:
N/A
Some possible workarounds are:
Configure a static nat device when you try to use the remote VPN if the firewall remotely will be hit with a different public IP address. It would be a good solution, but it will depend on how many ip addresses public you have available, if you really want one of these ip addresses for that access.
Also, I thought you could use AnyConnect instead of the IPSec VPN client. I don't know how many users need to connect from your PC to the remote site, but the ASA has 2 licenses SSL available that you could use. Because Anyconnect uses the SSL protocol, it won't have a problem on your environment.
Below some information:
Hope this helps,
Luis.
-
First shot at the site to site VPN fails
This is my first attempt at establishing a VPN site-to site on ASA 5505 s. Fortunately, I'm able to do on the bench and not on the real sites. As soon as I can verify connectivity, I'll move them to the physical sites.
The two ASAs are running 8.3 (1). I tried with ASDM and I tried via CLI. I don't seem to be able to do anyway.
An ASA is configured with the address of WAN 10.1.52.1/24, address LAN 192.168.52.1. Another ASA is set up 10.1.200.1/24 WAN, LAN 192.168.200.1. Because they are on the bench (lab / whatever) there is a single cable connects the two WAN ports. I have a single workstation on each LAN to test connectivity. I CAN'T successfully ping the WAN ASA (10.1.52.1) from the workstation on 192.168.200.1 and vice versa. I'm NOT able to ping the workstation on 192.168.200.1 or of the ASA 10.1.200.1 (192.168.52.1) LAN and vice versa.
Here are the configs for the two and some recording of debug output:
ASA Version 8.3 (1)
!
MAIN host name
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.200.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.1.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone CST - 6
network of the object inside
192.168.200.0 subnet 255.255.255.0
the CISC subject network
192.168.52.0 subnet 255.255.255.0
ICMP-type of object-group ICMP_ALLOWED
Description allow pings
echo ICMP-object
response to echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
all permitted extended INCOMING icmp access list any object-group ICMP_ALLOWED Journal d
ebugging
VPN-2-CISC scope ip 192.168.52.0 access list allow 255.255.255.0 192.168.200
.0 255.255.255.0 debug log
VPN-2-CISC extended access list allow icmp 192.168.52.0 255.255.255.0 192.168.2
00,0% 255.255.255.0
outside_cryptomap_1 list extended access allowed object CISC object INSIDE Journal ip
debugging
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside inside static destination CATC-CATC
!
network of the object inside
NAT dynamic interface (indoor, outdoor)
Access-group ENTERING into the interface outside
Route outside 0.0.0.0 0.0.0.0 10.1.52.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
VPN-2-CATC 1 crypto card matches the address outside_cryptomap_1
card crypto VPN-2-CATC 1 set pfs
card crypto VPN-2-CATC 1 set peer 10.1.52.1
card crypto VPN-2-CATC 1 set transform-set ESP-3DES-MD5
crypto VPN-2-CISC outdoors card interface
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 10
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.200.5 - 192.168.200.99 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
value of filter-VPN VPN-2-CISC
tunnel-group 10.1.52.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.52.1
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:53060156da27a8404adc45a01ff7324a
: end==================
ASA Version 8.3 (1)
!
CISC hostname
activate 8Ry2YjIyt7RRXU24 encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
192.168.52.1 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 10.1.52.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
network of the object inside
192.168.52.0 subnet 255.255.255.0
network of the PRINCIPAL object
192.168.200.0 subnet 255.255.255.0
ICMP-type of object-group ICMP_ALLOWED
pings Allow Description of the tests
echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
response to echo ICMP-object
extended permitted INBOUND icmp access list any any ICMP_ALLOWED object-group
VPN_TO_MAIN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.52.0 255.255.255.0
VPN_TO_MAIN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0
outside_cryptomap_1 list of allowed ip extended access PRINCIPAL inside object
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside, outside) static source inside MAIN destination inside static
!
network of the object inside
NAT dynamic interface (indoor, outdoor)
Access-group ENTERING into the interface outside
Route outside 0.0.0.0 0.0.0.0 10.1.200.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.52.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto VPN_TO_MAIN 1 corresponds to the address outside_cryptomap_1
card crypto VPN_TO_MAIN 1 set pfs
card crypto VPN_TO_MAIN 1 set peer 10.1.200.1
VPN_TO_MAIN 1 transform-set ESP-3DES-MD5 crypto card game
VPN_TO_MAIN interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 10
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.52.5 - 192.168.52.99 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
attributes of Group Policy DfltGrpPolicy
value of VPN-filter VPN_TO_MAIN
tunnel-group 10.1.200.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.200.1
pre-shared-key VPN2VPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:fb0bfb4b67a8bfb2360a0d4499ce7f3d
: end
don't allow no asdm history===================
When I try to ping from the internal network of CATC, 192.168.52.0/24 to the interface internal ASA HAND 192.168.200.1, I get...
Built of outbound ICMP connection for faddr gaddr laddr 192.168.52.7/1 192.168.52.7/1 192.168.200.1/0
Connection of disassembly for faddr gaddr laddr 192.168.52.7/1 192.168.52.7/1 192.168.200.1/0 ICMP
Built of incoming UDP connection, 6669 for inside:192.168.52.7/68 (192.168.52.7/68) at identity:255.255.255.255/67 (255.255.255.255/67)
---
I also try to hit a web server address: 192.168.200.5
Built of outgoing TCP connection 6674 for outside:192.168.200.5/80 (192.168.200.5/80) at inside:192.168.52.7/50956 (192.168.52.7/50956)
TCP connection of disassembly 6674 for outside:192.168.200.5/80 to inside:192.168.52.7/50956 duration 0:00:30 bytes 0 SYN Timeout
Deny tcp src outside:192.168.200.5/1632 dst inside:192.168.52.7/80 by access-group "IN" [0 x 0 0 x 0]
I don't get denied due to the INBOUND access-group. I thought with a VPN, the traffic bypasses standard access rules.
No show session upwards in the ASDM followed of > window VPN.
View ipsec his AND show isakmp its also well translate by "there are no ipsec/isakmp sas.
In addition,
In the constituencies of P2: 1997
In P2 invalid Exchange: 0
In P2 Exchange rejects: 1997
Requests for removal in his P2: 0
Exchanges of P2: 360
The Invalides Exchange P2: 0
Exchange of P2 rejects: 0
Requests to remove on P2 Sa: 360
=========================
I would like to eventually run the occasional http via this VPN traffic, but it will primarily serve to connect our two IP phone systems
Thank you all,
Laner
Hi Laner,
I created a configuration depending on your configuration: Please see the newsletter:
SITE 1
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group 10.1.52.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.52.1
pre-shared-key VPN2VPNnetwork of the object inside
192.168.200.0 subnet 255.255.255.0
the CISC subject network
192.168.52.0 subnet 255.255.255.0outside_cryptomap_1 extended access list permit ip object INSIDE object CISC
NAT (inside, outside) static source inside static destination CATC-CATC No.-PROXY-ARP ROUTE-LOOK insideVPN-2-CATC 1 crypto card matches the address outside_cryptomap_1
card crypto VPN-2-CATC 1 set pfs
card crypto VPN-2-CATC 1 set peer 10.1.52.1
card crypto VPN-2-CATC 1 set transform-set ESP-3DES-MD5This configuration is not necessary because you specify IP as the Protocol and it will allow all through the tunnel
VPN-2-CISC scope ip 192.168.52.0 access list allow 255.255.255.0 192.168.200.0 255.255.255.0
attributes of Group Policy DfltGrpPolicy
value of filter-VPN VPN-2-CISC//
SITE 2
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400tunnel-group 10.1.200.1 type ipsec-l2l
IPSec-attributes tunnel-group 10.1.200.1
pre-shared-key VPN2VPNnetwork of the object inside
192.168.52.0 subnet 255.255.255.0
network of the PRINCIPAL object
192.168.200.0 subnet 255.255.255.0outside_cryptomap_1 list extended access permitted ip object INSIDE PRINCIPAL object
NAT (inside, outside) static source inside MAIN destination inside static route no-proxy-arp-searchcard crypto VPN_TO_MAIN 1 corresponds to the address outside_cryptomap_1
card crypto VPN_TO_MAIN 1 set pfs
card crypto VPN_TO_MAIN 1 set peer 10.1.200.1
VPN_TO_MAIN 1 transform-set ESP-3DES-MD5 crypto card gameThis configuration is not necessary because you specify IP as the Protocol and it will allow all through the tunnel
VPN_TO_MAIN to access extended list ip 192.168.200.0 allow 255.255.255.0 192.168.52.0 255.255.255.0
VPN_TO_MAIN list extended access allow icmp 192.168.200.0 255.255.255.0 192.168.52.0 255.255.255.0attributes of Group Policy DfltGrpPolicy
value of VPN-filter VPN_TO_MAIN//
Match your configuration with my setup and make changes. Filters VPN are not allowed because you are not filtering anything. Remove the filter VPN at both ends, and then try to ping through the VPN. Also if you ping forms inside the interface inside the interface of the other device, and then make sure that access management is enabled on both interfaces, it will not respond to ping requests.
How to check if access to administration are enabled or not is by running the command:
See the human race
If you get anything enter command 'inside man' and then run ping.
Let me know if it helps.
Vishnu
-
Several subnets in the site to Site VPN
Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American
(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcdGroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN
/////////////////////////////////////////////////////////////////////The router configuration:
(1) part SA
proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1
(2) TransformsetCrypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode(3) access-list
IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
(5) crypto cardcrypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2
//////////////////////////////////////////////////////////////////////This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.
192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0Hello Jay,
I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:
(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:
address for correspondence card crypto 10 CM - STSVPN STSVPN-US
You must change this setting to avoid any problems with the negotiation of traffic:
no matching address card crypto 10 CM-STSVPN STSVPN-US
10 CM-STSVPN crypto card matches the address ACL_STSVPN-US
(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter valueKeep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.
(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.
ASA:
card crypto 10 CM-STSVPN set group14 pfs
Router:
crypto CM card. 30 VPN ipsec-isakmp
No group14 set pfs
Hope this help you to raise the tunnel,
Luis.
-
Site to Site VPN problem ASA 5505
Hello
I have a strange problem with a site to site VPN. I configured it completely and I added 3 of my internal networks to be encrypted and access the remote network across the tunnel.
For some reason, I can access the remote network of only two of the three internal networkls that I've specified.
Here is a copy of my config - if anyone has any info I would be happy of course.
Thank you
Kevin
FK - U host name. S. - Raleigh - ASA
domain appdrugs.com
activate 08PI8zPL2UE41XdH encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
name Maridian-primary-Net 192.168.237.0
Meridian-backup-Net 192.168.237.128 name
name 10.239.192.141 AccessSwitch1IDFB
name 10.239.192.143 AccessSwitch1IDFC
name 10.239.192.140 AccessSwitch1MDFA
name 10.239.192.142 AccessSwitch2IDFB
name CiscoCallManager 10.195.64.206
name 10.239.192.2 CoreSwitch1
name 10.239.192.3 CoreSwitch2
name 10.195.64.17 UnityVM
name 140.239.116.162 Outside_Interface
name 65.118.69.251 Meridian-primary-VPN
name 65.123.23.194 Meridian_Backup_VPN
DNS-guard
!
interface Ethernet0/0
Shutdown
No nameif
security-level 100
no ip address
!
interface Ethernet0/1
nameif outside
security-level 60
address IP Outside_Interface 255.255.255.224
!
interface Ethernet0/2
nameif Inside1
security-level 100
IP 10.239.192.7 255.255.255.128
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 50
IP 192.168.1.1 255.255.255.0
management only
!
boot system Disk0: / asa804 - k8.bin
Disk0: / asa804.bin starting system
passive FTP mode
DNS domain-lookup outside
DNS domain-lookup Inside1
management of the DNS domain-lookup service
DNS server-group DefaultDNS
Server name 10.239.192.10
domain appdrugs.com
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
the DM_INLINE_NETWORK_1 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.0
object-network 10.239.192.128 255.255.255.128
object-group service DM_INLINE_SERVICE_1
the purpose of the ip service
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_2 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_3 object-group network
network-object 10.195.64.0 255.255.255.192
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_5 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
the DM_INLINE_NETWORK_6 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
object-group network Vital-network-hardware-access
host of the object-Network UnityVM
host of the CiscoCallManager object-Network
host of the object-Network AccessSwitch1MDFA
host of the object-Network AccessSwitch1IDFB
host of the object-Network AccessSwitch2IDFB
host of the object-Network AccessSwitch1IDFC
host of the object-Network CoreSwitch1
host of the object-Network CoreSwitch2
object-group service RDP - tcp
EQ port 3389 object
the DM_INLINE_NETWORK_7 object-group network
Maridian-primary-Net network object 255.255.255.128
Meridian-backup-Net network object 255.255.255.128
host of network-object Meridian-primary-VPN
host of the object-Network Meridian_Backup_VPN
the DM_INLINE_NETWORK_9 object-group network
host of the object-Network Outside_Interface
Group-object Vital-equipment-access to the network
object-group service DM_INLINE_SERVICE_2
will the service object
ESP service object
the purpose of the service ah
the eq isakmp udp service object
object-group service DM_INLINE_SERVICE_3
ICMP service object
the purpose of the echo icmp message service
response to echo icmp service object
the DM_INLINE_NETWORK_4 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
the DM_INLINE_NETWORK_8 object-group network
object-network 10.195.64.0 255.255.255.0
object-network 10.239.192.0 255.255.255.128
object-network 10.239.192.128 255.255.255.128
Outside_access_in list extended access permit icmp any any echo response
Access extensive list Maridian-primary-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_8 object-group enable
Access extensive list Meridian-backup-Net ip Outside_access_in 255.255.255.128 DM_INLINE_NETWORK_3 object-group enable
Inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Access extensive list ip 10.239.192.0 Inside_nat0_outbound allow Maridian-primary-Net 255.255.255.0 255.255.255.128
Inside_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Inside1_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.0.0.0 255.0.0.0
Inside1_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 ip
Inside1_nat0_outbound list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
Access extensive list ip 10.239.192.0 Inside1_nat0_outbound allow 255.255.255.0 10.239.199.0 255.255.255.192
Access extensive list ip 10.195.64.0 Inside1_nat0_outbound allow 255.255.255.192 10.239.199.0 255.255.255.192
Inside1_access_in to access ip 10.0.0.0 scope list allow 255.0.0.0 all
Outside_1_cryptomap list extended access allowed object-group DM_INLINE_SERVICE_1-DM_INLINE_NETWORK_1 Maridian-primary-Net 255.255.255.128 objects
Outside_2_cryptomap list extended access permitted ip object-group Meridian-backup-Net DM_INLINE_NETWORK_2 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.0 255.255.255.128
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.195.64.0 255.255.255.0
permitted access Vital-network-Access_splitTunnelAcl-list standard 10.239.192.128 255.255.255.128
Access extensive list ip 10.239.199.0 Vital_VPN allow 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN list extended access allow icmp 10.239.199.0 255.255.255.192 object-group Vital-equipment-access to the network
Vital_VPN of access allowed any ip an extended list
Outside_cryptomap_1 list extended access allowed object-group DM_INLINE_NETWORK_4 Maridian-primary-Net 255.255.255.128 ip
access list Vital-Site-to-site access extended allow ip object-DM_INLINE_NETWORK_5 group Vital-network-hardware-access object
Vital-Site-to-Site-access extended access list permits object-group DM_INLINE_SERVICE_3-group of objects DM_INLINE_NETWORK_6 object-group Vital-equipment-access to the network
Vital-Site-to-Site-access extended access list permits object-group objects object-group DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_7 DM_INLINE_SERVICE_2-group
pager lines 24
Enable logging
exploitation forest asdm warnings
Outside 1500 MTU
MTU 1500 Inside1
management of MTU 1500
mask IP local pool access remote 10.239.199.11 - 10.239.199.62 255.255.255.192
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 621.bin
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT (Inside1) 0-list of access Inside1_nat0_outbound
NAT (Inside1) 1 10.0.0.0 255.0.0.0
Access-group Outside_access_in in interface outside
Access-group Inside1_access_in in interface Inside1
Route outside 0.0.0.0 0.0.0.0 140.239.116.161 1
Route Inside1 10.192.52.0 255.255.255.0 10.239.192.1 1
Route Inside1 10.195.64.0 255.255.240.0 10.239.192.1 1
Route Inside1 10.239.0.0 255.255.0.0 10.239.192.1 1
Route Inside1 10.239.192.0 255.255.248.0 10.239.192.1 1
Route out of the Maridian-primary-Net 255.255.255.0 Outside_Interface 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 66.104.209.192 255.255.255.224 outside
http 192.168.1.0 255.255.255.0 management
http 10.239.172.0 255.255.252.0 Inside1
SNMP-server host Inside1 10.239.132.225 community appfirestarter * #*.
location of Server SNMP Raleigh
contact Server SNMP Kevin mcdonald
Server SNMP community appfirestarter * #*.
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Server SNMP traps enable entity config change
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds
cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map
card crypto Outside_map 1 corresponds to the address Outside_cryptomap_1
card crypto Outside_map 1 peer set VPN-primary-Meridian
Outside_map 1 transform-set ESP-3DES-MD5 crypto card game
card crypto Outside_map 1 defined security-association life seconds 28800
card crypto Outside_map 1 set security-association kilobytes of life 4608000
card crypto Outside_map 2 corresponds to the address Outside_2_cryptomap
card crypto Outside_map 2 set peer Meridian_Backup_VPN
map Outside_map 2 game of transformation-ESP-3DES-MD5 crypto
card crypto Outside_map 2 defined security-association life seconds 28800
card crypto Outside_map 2 set security-association kilobytes of life 4608000
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
outside access management
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
tunnel-group-list activate
internal strategy of State civil-access to the network group
Group Policy attributes Vital access to the network
value of server DNS 10.239.192.10
value of VPN-filter Vital_VPN
Protocol-tunnel-VPN IPSec webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vital-network-Access_splitTunnelAcl
value of remote access address pools
internal state civil-Site-to-Site-GroupPolicy group strategy
Civil-site-a-site-grouppolicy-strategie status of group attributes
value of VPN-filter Vital-Site-to-Site-access
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
username APPRaleigh encrypted password m40Ls2r9N918trxp
username APPRaleigh attributes
VPN-group-policy Vital-network access
type of remote access service
username, password kmadmin u8urNz44/I.ugcF. encrypted privilege 15
tunnel-group 65.118.69.251 type ipsec-l2l
tunnel-group 65.118.69.251 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.118.69.251
pre-shared-key *.
tunnel-group 65.123.23.194 type ipsec-l2l
tunnel-group 65.123.23.194 General-attributes
Group Policy - by Defaut-vital-site-a-site-grouppolicy
IPSec-attributes tunnel-group 65.123.23.194
pre-shared-key *.
remote access of type tunnel-group Vital access to the network
tunnel-group Vital access to the network general-attributes
Access to distance-address pool
Group Policy - by default-state civilian access to the network
tunnel-group Vital access to the network ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:a080b1759b57190ba65d932785ad4967
: endcan you confirm if we have the exact reflection of crypto acl at the other end
I feel may be you have a 24 10.239.192.0 255.255.255.0 on the other end in the remote network
can you please confirm that
also a reason, why you use 10.239.192.0 255.255.255.128 and 10.239.192.128 255.255.255.128 instead of 10.239.192.0 255.255.255.0
-
Greetings,
I practice implementation of VPN and it seems to have fallen on a small issue that solution eludes me. Everything works in my current topology with the exception of a multi-site vpn. I have 3 ASA, which is outside the interface is connected via a switch. The inside interface is connected to a local area network that contains a workstation on each subnet. I'm trying to set up a solution where I can have all 3 ASA related between them via a VPN. The question I have is when I raise a single tunnel, scathing from a workstation behind the ASA, I can't set up a second tunnel scathing from a different network. To explain that better, here is an explanation:
ASA #1
outdoors: 10.0.1.1/24
inside: 192.168.0.1/24
workstation: 192.168.0.100
ASA #2
outside: 10.0.1.2/24
inside: 192.168.1.1/24
workstation: 192.168.1.100
ASA #3
outside: 10.0.1.3/24
inside: 192.168.2.1/24
workstation: 192.168.2.100
If I ping 192.168.0.100 192.168.1.100, the tunnel opens very well and I get answers. If I can try and ping 192.168.0.100 192.168.2.100, does not open the tunnel to 192.168.2.0. If I clear all its on ASA #1 and then ping 192.168.0.100 192.168.2.100, the tunnel opens very well and I get a response. Then I try and ping 192.168.0.100 192.168.1.100 and the same thing happens, no tunnel and no response. When I enabled logging on ASA #1 seems that it sends the ping for the different network on the tunnel open instead of opening a new tunnel to the correct network. Can someone tell me what is happening here and if I just missed something simple with routing? Or is it maybe a problem with VPN?
Craig,
You have default route badly configured on all the ASA. Here's what you have configured
ASA1
Route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
It's sendning the package for outside inside IP address. Here's what you need to do on the ASA
ASA1
No route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
Route outside 0.0.0.0 0.0.0.0 10.0.1.2
ASA2
No route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Route outside 0.0.0.0 0.0.0.0 10.0.1.1
ASA3
No route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
Route outside 0.0.0.0 0.0.0.0 10.0.1.1
Also delete icmp access list crypto that you allowed to what IP is the same access list. IP covers both the ICMP.
Kindly let me know change default allows traffic.
Kind regards
Bad Boy
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Order of operations NAT on Site to Site VPN Cisco ASA
Hello
I have a question about the order of operations NAT on Site to Site VPN Cisco ASA 8.2.x. I have a scenario where the internal IP address of the range 10.17.128.x are NATTED IP public 31.10.10.x. below is the config:
Tunnel normally passes traffic to dmz - 31.10.11.10, 31.10.11.11 servers.
But the servers NATTED (10.17.128.x <->31.10.10.x) does not work.
inside_map crypto 50 card value transform-set ESP-3DES-SHA
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 General-attributes
Group Policy - by default-PHX_HK
IPSec-attributes tunnel-group 100.1.1.1
pre-shared key *.
internal PHX_HK group policy
PHX_HK group policy attributes
VPN-filter no
Protocol-tunnel-VPN IPSec svc webvpn
card crypto inside_map 50 match address outside_cryptomap_50
peer set card crypto inside_map 50 100.1.1.1
inside_map crypto 50 card value transform-set ESP-3DES-SHA
inside_map crypto 50 card value reverse-road
the PHX_Local object-group network
host of the object-Network 31.10.11.10
host of the object-Network 31.10.11.11
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
the HK_Remote object-group network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_INSIDE list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
ACL_OUTSIDE list extended access permitted ip object-group HK_Remote-group of objects PHX_Local
outside_cryptomap_50 list extended access permitted ip object-group PHX_Local-group of objects HK_Remote
Route outside 102.1.1.10 255.255.255.255 30.1.1.1 1
public static 31.10.10.10 (Interior, exterior) 10.17.128.20 netmask 255.255.255.255
public static 31.10.10.11 (Interior, exterior) 10.17.128.21 netmask 255.255.255.255
public static 31.10.10.12 (Interior, exterior) 10.17.128.22 netmask 255.255.255.255
public static 31.10.10.13 (Interior, exterior) 10.17.128.23 netmask 255.255.255.255
He started to work when I did another group of object by name PHX_Local1 and added to the list of access inside_nat0_outbound, instead of the object group PHX_Local, as below:
the PHX_Local1 object-group network
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
No inside_nat0_outbound access list extended only to allowed ip object-group PHX_Local-group of objects HK_Remote
inside_nat0_outbound list extended access permitted ip object-group PHX_Local1-group of objects HK_Remote
Can you please help me understand why group object PHX_Local failed with access-list inside_nat0_outbound, but he began to work with the Group of objects PHX_Local1.
Also, if you could tell me the order of operations to NAT via VPN Site to Site, it would be useful.
Thank you
Kind regards
Thomas
Hello
I think you could have said the original question in a way that could be missleading. In other words, if I understand now.
From what I understand now, you have the DMZ set up the server that are measured with a public IP address on the real servers. And for those that you have configured NAT0.
Then you have other servers that do not have public IP addresses themselves, but they are translated on the SAA.
If this is the case, then the next question would be. The server with the NAT should attend the L2L VPN connection with their real IP or address IP NAT.
Of course if you configure static NAT for the same servers and NAT0 the NAT0 will always win.
You have these guests who were not able to use the VPN L2L
31.10.10.10 10.17.128.20
31.10.10.11 10.17.128.21
31.10.10.12 10.17.128.22
31.10.10.13 10.17.128.23
IF you want them to go to the VPN L2L with their original IP address then you must configure
object-group, LAN
host of the object-Network 10.17.128.20
host of the object-Network 10.17.128.21
host of the object-Network 10.17.128.22
host of the object-Network 10.17.128.23
object-group, REMOTE network
host of the object-Network 102.1.1.10
inside_nat0_outbound list extended access allowed ip-group of objects LOCAL object-group remote
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
IF you want to use the L2L VPN with the public IP address, then you must configure
object-group, LAN
host of the object-Network 31.10.10.10
host of the object-Network 31.10.10.11
host of the object-Network 31.10.10.12
host of the object-Network 31.10.10.13
object-group, REMOTE network
host of the object-Network 102.1.1.10
outside_cryptomap_50 list extended access allowed ip-group of objects LOCAL object-group remote
EDIT: in this case you naturally do not configure any NAT0 for actual IP addresses we want precisely the IP addresses to be visible to the L2L VPN with the IP NAT address.
Or you can of course use the same "object-group" as currently but change the content in an appropriate manner
Be sure to mark it as answered if it was answered.
Ask more if necessary
-Jouni
-
Cisco ASA Site to Site VPN IPSEC and NAT question
Hi people,
I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses
Just an example:
N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)
The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)
It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)
Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.
Grateful if someone can shed some light on this subject.
Hello
OK so went with the old format of NAT configuration
It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
- access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
- the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
- NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
- ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.
Please rate if this was helpful
-Jouni
- Configure the ASA1 with static NAT strategy
-
When you configure a site to tunnles, I get errors in logging of ASA of gall.
I've included the two configs on the walls of ASA file.
any one see what Miss me?
small site
: Saved
: Written by usiadmin at 15:22:08.143 UTC Monday, March 19, 2012
!
ASA Version 7.2 (3)
!
hostname smallASA
domain.com domain name
activate awSQhSsotCzGWRMo encrypted password
names of
!
interface Vlan1
nameif inside
security-level 100
IP 10.16.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 116.12.211.66 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
L0Wjs4eA25R/befo encrypted passwd
passive FTP mode
DNS lookup field inside
DNS server-group DefaultDNS
Server name 10.10.20.1
domain.com domain name
access extensive list ip 10.16.4.0 outside_1_cryptomap allow 255.255.255.0 any
access extensive list ip 10.16.4.0 inside_nat0_outbound allow 255.255.255.0 any
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 523.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 116.12.211.65 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 10.16.4.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 12.69.103.226
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Telnet 10.16.4.0 255.255.255.0 inside
Telnet timeout 5
SSH 10.16.4.0 255.255.255.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
dhcpd dns 165.21.83.88 10.10.2.1
dhcpd domain domain.com
dhcpd outside auto_config
!
dhcpd address 10.16.4.100 - 10.16.4.131 inside
dhcpd allow inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
usiadmin encrypted DI5M5NnQfLzGHaw1 privilege 15 password username
initech encrypted ENDpqoooBPsmGFZP privilege 15 password username
tunnel-group 12.69.103.226 type ipsec-l2l
IPSec-attributes tunnel-group 12.69.103.226
pre-shared key, PSK
context of prompt hostname
Cryptochecksum:e6bf95f3c25574bfed2adafb3283e882
: end
large site
: Saved
: Written by usiadmin to the 22:57:30.549 CDT Monday, March 19, 2012
!
ASA Version 8.0 (3)
!
hostname STO-ASA-5510-FW
domain.com domain name
enable the password... Ge0JnvJlk/gAiB encrypted
names of
192.168.255.0 BGP-Transit_Network description name Transit BGP
name 10.10.99.0 VPN
name 10.10.2.80 BB
DNS-guard
!
interface Ethernet0/0
Inside the Interface Description
nameif inside
security-level 100
IP 10.10.200.29 255.255.255.240
OSPF cost 10
!
interface Ethernet0/1
Description external Interface facing the Rotuer for Internet.
nameif outside
security-level 0
IP 12.69.103.226 255.255.255.240
OSPF cost 10
!
interface Ethernet0/2
Description physical interface trunk - do not use
No nameif
no level of security
no ip address
!
interface Ethernet0/2.900
Description Interface DMZ 12.69.103.0 / 26 (usable hotes.1 a.62)
VLAN 900
nameif DMZ1-VLAN900
security-level 50
IP 12.69.103.1 255.255.255.192
OSPF cost 10
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 10.10.5.250 255.255.254.0
OSPF cost 10
management only
!
L0Wjs4eA25R/befo encrypted passwd
banner exec **********************************************************************
exec banner STO-ASA-5510-FW
exec banner ASA5510 - 10.10.200.29
exec banner configured for data use only
banner exec **********************************************************************
banner login **********************************************************************
connection of the banner caveat: this system is for the use of only authorized customers.
banner of individuals to connect using the system of computer network without permission.
banner login or exceeding their authority, are subject with all their
activity of connection banner on this system monitored and recorded by computer network
staff of the login banner system. To protect the computer network system of
banner of the connection of unauthorized use and to ensure that computer network systems is
connection of banner works properly, system administrators monitor this system.
banner connect anyone using this computer network system expressly consents to such a
banner of the connection monitoring and is advised that if such monitoring reveals possible
conduct of connection banner of criminal activity, system personnel may provide the
evidence of connection banner of such activity to the police.
connection banner that access is restricted to the authorized users only. Unauthorized access is
connection banner, a violation of State and federal, civil and criminal.
banner login **********************************************************************
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
domain universalsilencer.com
permit same-security-traffic intra-interface
object-group service SAP tcp - udp
Description SAP updates
port-object eq 3299
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service HUMANLand tcp
port-object eq citrix-ica
DM_INLINE_TCP_1 tcp service object-group
EQ port 5061 object
port-object eq www
EQ object of the https port
DM_INLINE_TCP_2 tcp service object-group
EQ port 5061 object
port-object eq www
EQ object of the https port
DM_INLINE_UDP_1 udp service object-group
EQ port-object snmp
port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
ICMP service object
the purpose of the service tcp - udp eq www
the purpose of the udp eq snmp service
the purpose of the udp eq snmptrap service
the eq syslog udp service object
the eq 2055 tcp service object
the eq 2055 udp service object
EQ-3389 tcp service object
object-group service human tcp - udp
port-object eq 8100
object-group service grove tcp
port-object eq 2492
netflowTcp tcp service object-group
port-object eq 2055
object-group service 6144 tcp - udp
6144 description
port-object eq 6144
object-group service 1536-DMPA-inter-tcp - udp
1536-DMPA-inter description
port-object eq 1536
the DM_INLINE_NETWORK_1 object-group network
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
the DM_INLINE_NETWORK_2 object-group network
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
the DM_INLINE_NETWORK_3 object-group network
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
the DM_INLINE_NETWORK_4 object-group network
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
object-group service rdp tcp
RDP description
EQ port 3389 object
the DM_INLINE_NETWORK_5 object-group network
network-object 10.16.0.0 255.255.0.0
object-network 10.16.0.0 255.255.255.0
the DM_INLINE_NETWORK_6 object-group network
network-object 10.16.0.0 255.255.0.0
object-network 10.16.0.0 255.255.255.0
the DM_INLINE_NETWORK_7 object-group network
network-object 10.16.0.0 255.255.0.0
object-network 10.16.0.0 255.255.255.0
the DM_INLINE_NETWORK_8 object-group network
network-object 10.16.0.0 255.255.0.0
object-network 10.16.0.0 255.255.255.0
access outside the 207.152.125.136 note list
extended access list to refuse any newspaper outdoors the object-group objects DM_INLINE_NETWORK_1 TCPUDP-group
scope of list of outdoor access to refuse the object-group objects DM_INLINE_NETWORK_2 host 12.69.103.129 TCPUDP-group
extended access list to refuse the object-group TCPUDP outdoors any object-group DM_INLINE_NETWORK_3
scope of list of outdoor access to refuse the subject-TCPUDP 12.69.103.129 host object group DM_INLINE_NETWORK_4
access outside the note list * in Bound SAP traffic by Ron Odom update *.
list of access outside the scope permitted tcp host 194.39.131.34 host 12.69.103.155 3200 3300 Journal range
access outside the note list * router SAP *.
list of access outside the permitted range tcp host 10.10.2.110 host 194.39.131.34 3200 3300
extended access list permits object-group DM_INLINE_SERVICE_1 outside any host 12.69.103.154
access outside the note list * entrants to the mail server to 10.10.2.10 Peter K *.
list of extended outside access permit tcp any host 12.69.103.147 eq smtp
access outside the note list * incoming to the OCS EDGE on DMZ Peter K *.
access list outside extended permit tcp any host 12.69.103.2 object - group DM_INLINE_TCP_1
list of external extended ip access permits any host 12.69.103.6
list of access outside the comment flagged for malware activity
scope of list of outdoor access to deny the host ip 77.78.247.86 all
list of external extended ip access permits any host 12.69.103.156 inactive
list of extended outside access permit tcp any host 12.69.103.147 eq www
list of extended outside access permit tcp any host 12.69.103.147 eq https
access outside the note list * incoming hosting 10.10.3.200 - Dan K *.
list of extended outside access permit tcp any host 12.69.103.145 eq www
list of extended outside access permit tcp any host 12.69.103.145 eq https
access outside the note list * journey to host 10.10.2.30 USIFAXBACK - Dan K *.
list of extended outside access permit tcp any host 12.69.103.146 eq www
list of extended outside access permit tcp any host 12.69.103.146 eq https
access outside the note list * incoming hosting 10.10.8.5 - Mitel 7100 BOB M 4/4-2008 - BV *.
list of extended outside access permit tcp any host 12.69.103.152 eq pptp
access list outside extended permit tcp any host 200.56.251.118 object - group HUMANLand
list of extended outside access permit tcp any host 200.56.251.121 eq 8100
outdoor access list note allow all return ICMP traffic off in order to help the attacks of hidden form
extended the list of outdoor access to deny icmp everything no matter what newspaper
list of allowed outside access extended ip 10.14.0.0 255.255.0.0 all open a debug session
list of allowed outside access extended ip 10.15.0.0 255.255.0.0 any
list of allowed outside access extended ip object-group DM_INLINE_NETWORK_7 all
outdoor access list extended permits all ip 10.14.0.0 255.255.0.0 debug log
outdoor access list extended permits all ip 10.15.0.0 255.255.0.0
list of external extended ip access permits any object-group DM_INLINE_NETWORK_6
list of access outside the scope permitted udp host 12.88.249.62 any DM_INLINE_UDP_1 object-group
Note added to pervent bocking human outside access list
list of access outside the permitted scope object-TCPUDP host 10.12.2.250 host 200.56.251.121 human group object
Note added to pervent bocking human outside access list
list of access outside the permitted scope object-TCPUDP host 200.56.251.121 host 10.12.2.250 human group object
outside the permitted scope of access tcp list any any eq log pptp
extended access list to refuse the object-group TCPUDP outdoors everything any object-group 6144
VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 VPN 255.255.255.192
extensive list of access VPN-SplitTunnel ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192 allow
extended VPN-SplitTunnel access list ip 10.12.0.0 allow 255.255.0.0 VPN 255.255.255.192
extended VPN-SplitTunnel access list ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192
list of access VPN-SplitTunnel extended permitted ip VPN BGP-Transit_Network 255.255.255.0 255.255.255.192
list of access VPN-SplitTunnel extended permitted ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.4.0 255.255.254.0
VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.15.4.0 255.255.254.0
VPN-SplitTunnel extended 10.10.0.0 ip access list allow 255.255.0.0 10.14.8.0 255.255.254.0
Note DMZ1_in access-list * OCS - 2nd interface to inside EDGE welcomes Peter K *.
DMZ1_in list extended access permit tcp host 12.69.103.3 host 10.10.2.15 DM_INLINE_TCP_2 object-group
Note DMZ1_in of access list permit all ICMP traffic
DMZ1_in access list extended icmp permitted any any newspaper
DMZ1_in deny ip extended access list all 207.152.0.0 255.255.0.0
DMZ1_in list extended access deny ip 207.152.0.0 255.255.0.0 any
Note DMZ1_in access-list * explicitly block access to all domestic networks *.
Note access-list DMZ1_in * no need allowed inside networks *.
Note DMZ1_in access-list * to do above this section *.
DMZ1_in list extended access deny ip any 10.0.0.0 255.0.0.0
DMZ1_in list extended access deny ip any 172.16.0.0 255.240.0.0
DMZ1_in list extended access deny ip any 192.168.0.0 255.255.0.0
Note DMZ1_in access-list * IP Allow - this will be the internet *.
DMZ1_in list of allowed ip extended access all any debug log
ezvpn1 list standard access allowed 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended ip allowed any one
access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 VPN 255.255.255.192
IP 10.11.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192
IP 10.12.0.0 allow Access-list extended sheep 255.255.0.0 VPN 255.255.255.192
access-list extended sheep ip 10.13.0.0 allow 255.255.0.0 VPN 255.255.255.192
access-list sheep extended ip VPN BGP-Transit_Network 255.255.255.0 allow 255.255.255.192
access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.4.0 255.255.254.0
access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.14.8.0 255.255.254.0
access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list sheep extended ip 10.10.0.0 allow 255.255.0.0 10.15.4.0 255.255.254.0
access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
permit traffic to access extended list ip 10.0.0.0 255.0.0.0 10.14.0.0 inactive 255.255.0.0
outside_cryptomap to access ip 10.0.0.0 scope list allow 255.0.0.0 10.15.0.0 255.255.0.0
access extensive list ip 10.14.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192
access extensive list ip 10.15.0.0 outside_nat0_outbound allow 255.255.0.0 VPN 255.255.255.192
outside_nat0_outbound list extended access allowed object-group ip VPN DM_INLINE_NETWORK_8 255.255.255.192
outside_cryptomap_1 to access ip 10.0.0.0 scope list allow 255.0.0.0 DM_INLINE_NETWORK_5 object-group
pager lines 24
Enable logging
timestamp of the record
logging list VPN informational level class auth
logging list class VPN config level criticism
VPN vpn list logging level notification class
notification of log list VPN vpnc level class
VPN list logging level notifications class webvpn
logging alerts list any level
exploitation forest-size of the buffer of 256000
logging buffered all
logging VPN trap
asdm of logging of information
host of inside the 10.10.2.41 logging format emblem
logging ftp-bufferwrap
connection server ftp 10.10.2.41 \logs usi\administrator 178US1SIL3 ~.
Within 1500 MTU
Outside 1500 MTU
MTU 1500 DMZ1-VLAN900
management of MTU 1500
mask 10.10.99.1 - 10.10.99.63 255.255.255.192 IP local pool Clients_vpn
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ICMP allow all outside
ICMP allow any DMZ1-VLAN900
ASDM image disk0: / asdm - 611.bin
ASDM location VPN 255.255.255.192 inside
ASDM location BGP-Transit_Network 255.255.255.0 inside
ASDM location 10.10.4.60 255.255.254.255 inside
ASDM location 255.255.255.255 inside BB
ASDM location 10.16.0.0 255.255.0.0 inside
ASDM location 69.31.0.0 255.255.0.0 inside
ASDM location 198.78.0.0 255.255.0.0 inside
ASDM location 10.16.0.0 255.255.255.0 inside
enable ASDM history
ARP timeout 14400
Global (inside) 1 10.10.2.4 netmask 255.0.0.0
Global (outside) 10 12.69.103.129 netmask 255.255.255.255
Global (outside) 11 12.69.103.130 netmask 255.255.255.255
Global (outside) 12 12.69.103.131 netmask 255.255.255.255
Global (outside) 13 12.69.103.132 netmask 255.255.255.255
Global (outside) 14 12.69.103.133 netmask 255.0.0.0
NAT (inside) 0 access-list sheep
NAT (inside) 11 192.168.255.4 255.255.255.252
NAT (inside) 12 192.168.255.8 255.255.255.252
NAT (inside) 13 192.168.255.12 255.255.255.252
NAT (inside) 10 10.10.0.0 255.255.0.0
NAT (inside) 11 10.11.0.0 255.255.0.0
NAT (inside) 12 10.12.0.0 255.255.0.0
NAT (inside) 13 10.13.0.0 255.255.0.0
NAT (inside) 10 10.14.0.0 255.255.0.0
NAT (outside) 0-list of access outside_nat0_outbound
NAT (outside) 10 10.16.0.0 255.255.255.0
NAT (outside) 10 10.14.0.0 255.255.0.0
NAT (outside) 10 10.15.0.0 255.255.0.0
NAT (outside) 10 10.16.0.0 255.255.0.0
static (DMZ1-VLAN900, external) 12.69.103.0 12.69.103.0 subnet mask 255.255.255.192
public static 12.69.103.154 (Interior, exterior) 10.10.2.41 netmask 255.255.255.255
static (inside, DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside, DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside, DMZ1-VLAN900) 172.16.0.0 subnet 255.240.0.0 172.16.0.0 mask
public static 12.69.103.147 (Interior, exterior) 10.10.2.10 netmask 255.255.255.255
public static 12.69.103.152 (Interior, exterior) 10.10.8.5 netmask 255.255.255.255
public static 12.69.103.155 (Interior, exterior) 10.10.2.110 netmask 255.255.255.255
outside access-group in external interface
Access-group DMZ1_in in interface DMZ1-VLAN900
!
Router eigrp 100
Network 10.0.0.0 255.0.0.0
!
Route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
Route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
Route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
Route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
Route outside 10.15.0.0 255.255.0.0 12.69.103.225 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
AAA-server Microsoft radius Protocol
simultaneous accounting mode
reactivation mode impoverishment deadtime 30
AAA-server Microsoft host 10.10.2.1
key cisco123
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
Enable http server
http 10.10.0.0 255.255.0.0 management
http 10.10.0.0 255.255.0.0 inside
SNMP-server host within the 10.10.2.41 community UNISNMP version 2 c-port udp 161
location of Server SNMP STODATDROOM
contact SNMP SYS Admin Server
UNISNMP SNMP-server community
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Server enable SNMP traps syslog
Server SNMP traps enable ipsec works stop
Server enable SNMP traps entity config - change insert-fru fru - remove
Server SNMP enable doors remote access has exceeded the threshold of session
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto outside_map 1 match address outside_cryptomap
peer set card crypto outside_map 1 115.111.107.226
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 2 match address outside_cryptomap_1
peer set card crypto outside_map 2 116.12.211.66
card crypto outside_map 2 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
address card crypto outside_map 10 game traffic
peer set card crypto outside_map 10 212.185.51.242
outside_map crypto 10 card value transform-set ESP-3DES-SHA
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto DMZ1-VLAN900_map0 1 the value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life no
crypto ISAKMP policy 10
preshared authentication
the Encryption
sha hash
Group 2
life no
Crypto isakmp nat-traversal 33
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
VPN-addr-assign local reuse-delay 10
Telnet 10.10.0.0 255.255.0.0 inside
Telnet 10.10.0.0 255.255.0.0 management
Telnet timeout 29
SSH timeout 29
SSH version 2
Console timeout 1
management-access inside
dhcprelay Server 10.10.2.1 outside
a basic threat threat detection
threat scan-threat shun except ip 10.14.0.0 address detection 255.255.0.0
threat scan-threat shun except ip 10.15.0.0 address detection 255.255.0.0
threat detection statistics
Web cache WCCP
WCCP interface within web in cache redirection
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
Server NTP 192.43.244.18
TFTP server inside 10.10.2.2 \asa
attributes of Group Policy DfltGrpPolicy
banner of value WARNING: this system is for the use of only authorized customers.
value of server WINS 10.10.2.1
value of 10.10.2.1 DNS server 10.10.2.2
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value VPN-SplitTunnel
universalsilencer.com value by default-field
Server proxy Internet Explorer 00.00.00.00 value
the address value Clients_vpn pools
internal CHINAPH group policy
CHINAPH group policy attributes
Protocol-tunnel-VPN IPSec svc webvpn
Split-tunnel-policy tunnelall
enable dhcp Intercept 255.255.0.0
the address value Clients_vpn pools
internal ezGROUP1 group policy
attributes of the strategy of group ezGROUP1
VPN-tunnel-Protocol svc webvpn
allow password-storage
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ezvpn1
allow to NEM
deleted users
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key germanysilence
type tunnel-group USISplitTunnelRemoteAccess remote access
attributes global-tunnel-group USISplitTunnelRemoteAccess
address pool Clients_vpn
IPSec-attributes tunnel-group USISplitTunnelRemoteAccess
pre-shared-key z2LNoioYVCTyJlX
type tunnel-group USISplitTunnelRADIUS remote access
attributes global-tunnel-group USISplitTunnelRADIUS
address pool Clients_vpn
Group-Microsoft LOCAL authentication server
IPSec-attributes tunnel-group USISplitTunnelRADIUS
pre-shared-key fLFO2p5KSS8Ic2y
type tunnel-group ezVPN1 remote access
tunnel-group ezVPN1 General-attributes
Group Policy - by default-ezGROUP1
ezVPN1 group of tunnel ipsec-attributes
pre-shared key, PSK
tunnel-group 212.185.51.242 type ipsec-l2l
IPSec-attributes tunnel-group 212.185.51.242
pre-shared key, PSK
NOCHECK Peer-id-validate
tunnel-group 115.111.107.226 type ipsec-l2l
IPSec-attributes tunnel-group 115.111.107.226
pre-shared key PSJ
tunnel-Group China type remote access
attributes global-tunnel-Group China
address pool Clients_vpn
Group Policy - by default-CHINAPH
tunnel-group 116.12.211.66 type ipsec-l2l
IPSec-attributes tunnel-group 116.12.211.66
pre-shared key, PSK
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:834976612f8f76e1b088326516362975
: end
Hello Ronald.
You use PFS on a site and not on the other.
Allows to remove from the site that has it and give it a try.
Change this:
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 12.69.103.226
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
To do this:
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 12.69.103.226
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
So just do a
NO card crypto outside_map 1 set pfs
Kind regards
Julio
Note all useful posts
Maybe you are looking for
-
Time Machine restore Mail (or fact)?
Yesterday I restored my iPhone from a backup to iCloud and, despite my preference for deletion delete messages on 'Never' (Yes, I know that Apple always deletes them after a month), iPhone restored with the preference set to "1 week". This preference
-
Satellite A100-159: firewire with shared IRQ controller no?
HelloI work with audio production. I have to buy a laptop with a TEXAS INSTRUMENTSfire - wire with no shared IRQ controller. Do you know if the Toshiba Satellite A100-159 has this feature?If not, what else can I take?Is there a technical consultant o
-
How to change the display of the temperature of NY in Englewood, CO?
Hello How can I change the temperature from New York to Englewood, CO? By default, it is show NY. When I click on that it is go to the website Web AccWeather and asking me to move to the new location. I have done the same and added Englewood CO and s
-
the Pavilion a1640n there capabilituy wifi?
I bought a new printer that has a wireless capability. Desktop HP Pavilion a1640n has the ability of women?
-
Hi, I have an alignment problem with my program. I use two verticalfieldmanager in a horizontalfieldmanager to display two columns. The problem is, according to the Simulator tha I use, the text seems aligned or not. In 9000, there is no problem, bec