Updates for Cisco ASA

What are the steps to enable to Qualys do a scan an ASA5505 IDS/IPS?

What are the steps to apply the update on an ASA5505 during the "Cisco PIX invalid TCP Checksum back vulnerability"?

What the patch for CVE-2014-8730?

You ASA has no IPS module, so there is no need to do something special to enable a scan from Qualys IDS/IPS.

Your ASA software is very old - like 8-1/2 years. The currently recommended for this model version is 9.1 (7).

You must first upgrade to 8.4 (6) then to 9.1 (7). This is stated in the Release Notes which have a link to a detailed guide.

SMARTnet support for a single ASA 5505 is only US $71 for a year. This material includes software and support of TAC. Part number "CON-SNT-AS5K8" applies and can be purchased by any authorized Cisco distributor or partner.

Tags: Cisco Support

Similar Questions

It is recommended to have a vulnerability for Cisco ASA device scan.

Dear everybody.

I have a doubt about the analysis of vulnerabilities for Cisco ASA device. Currently we have a vulnerability to network devices include firewalls. But after race for cisco ASA vulnerability scanning, found nothing in the analysis report.

Is it is recommended to have a Cisco ASA vulnerability scanning and it will defeat the purpose of the firewall?

I do not understand you ask you can set the ASA to allow an external user, run an analysis on the internal network?

If so the answer is generally no. The ASA, by default, not allow incoming connections (or attempts of connections) that are not explicitly allowed in a list of inbound access (applied to the external interface). In most cases there should also be (NAT) network address translation rules configured.

If you had a remote access VPN, you can allow external scanner to connect through that, then they would have the necessary access to analyze internal systems (assuming that allowed VPN access to all internal networks)

License problem of security context for Cisco ASA 5585

Hello

Can someone help me in license number for the ASA 5585 security environment,

We recently purchased a box ASA (5585) which has 2 default security context and we had like to have context for this ASA 25 permit and we got two codes PAK of Cisco for 20 licenses and 5 respectively.

When we generate the license key by combining the two codes Portal Cisco PAK and apply the same on ASA, do not see the 25; Instead, it shows only 20.

Is it really possible to stack context like 20 + 5 licenses or to buy a PAK code for any license 25 context?

Please advise me on this.

Thanks in advance!

Kind regards

Kam

Hello

This should probably not be handled with Cisco directly or through the company that got you the license.

To my knowledge, there is a possibility that the you have everything first to install a license key and the other licence could be upgraded from the previous license until the following limit of function under license.

I had several occasions where I was provided with the wrong license and had to communicate with Cisco/provider to get licenses appropriate for my device.

While I was announcing this response I checked the document of licensing for ASA models. It seems to me that there is no security content license 25 for the SAA. The deadline is 20 and license of SC 50 SC

Check this document:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/intro_license.html#wp1230400

-Jouni

Documentation for cisco asa ipsec l2tp / windows 7

Hello

I need to configure a few cisco asa 5510's for remote access VPN using l2tp ipsec. One of the requirements is that no additional vpn clients to connect. We only use the client included in Windows 7 x 86. Is there documentation on configuration of this device or a clear statement by saying that it is not taken in charge or possible yet?

Thank you

m.

Hey well at least on the errors of phase 1 more.

ASA is basically saying that's not the choice of the proposal.

Here's what is configured...
-------

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

-------

Here is what is proped:

-----

(1) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_AES

Encapsulation mode: the UDP Transport
Key length: 128
Authentication algorithm: SHA1

(2) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_3DES

Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1

(3) proposal payload

Protocol-Id: PROTO_IPSEC_ESP

Transform-Id: ESP_DES

Encapsulation mode: the UDP Transport
Authentication algorithm: SHA1

------------------

Please also visit:

https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html

I see that you have 1 default set PFS is 0.

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2193372

NAT-traversal missing?

https://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/l2tp_ips.html#wp1046219

AnyConnect VPN for Cisco ASA 5505 refused connections

I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access. Here is the relevant information of my config:

interface Vlan2
mac-address xxxx.xxxx.xxxx
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
access-list outside_access_in extended permit tcp any host C.C.C.C eq https
access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq https
access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
access-list outside_access_in extended permit tcp any host C.C.C.D eq www
access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
access-list outside_access_in extended permit gre any host C.C.C.C
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any interface outside
access-list inside_access_out extended permit ip any any

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside

webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable

group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
address-pools value palm
webvpn
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn

policy-map global_policy
class inspection_default
inspect pptp
inspect http
inspect icmp
inspect ftp
!

When I try to connect, I get this error in the real-time log viewer:

TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443

Here are the details of the license:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has a Base license.

Can someone tell me what I am doing wrong or what access list I'm missing?

I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

Hi Matt,

You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

WebVPN

tunnel-group-list activate

Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

HTH

Herbert

Can someone give me details and difficulty regarding the vulnerability of traumatic psychosis for Cisco ASA version 5?

We have experienced frm, our compliance team that we run in traumatic psychosis wanted vulnerabity so know the fix and document...

Hi James,

We have a PSIRT filed regarding the vulnerability of traumatic psychosis, please see details below:

CSCur00511 Evaluation of the ACS for CVE-2014-6271 and CVE-2014-7169

https://Tools.Cisco.com/bugsearch/bug/CSCur00511/?reffering_site=dumpcr

Here is the information of fixed code to various versions:

Fixed code:
Patch for CSCur00511 of the DDT is ready and available on CCO.
The patch is included in all update rollups version 5.4.0.46.7/5.5.0.46.6/5.6.0.22.1 and later. We recommend that you download the latest cumulative patches.

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.4 / 5.4.0.46.0

Patch file name: 5-4-0-46 -.tar.gpg
Read me and displays instructions: Acs-5-4-0-46--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.5 / 5.5.0.46

Patch file name: 5-5-0-46 -.tar.gpg
Read me and displays instructions: Acs-5-5-0-46--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.6 / 5.6.0.22

Patch file name: 5-6-0-22 -.tar.gpg
Read me and displays instructions: Acs-5-6-0-22--Readme.txt

Download of: CEC / Support / download software http://www.cisco.com/cisco/pub/software/portal/select.html?i=! y
Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.3 / 5.3.0.40

Patch file name: 5-3-0-40 -.tar.gpg
Read me and displays instructions: Acs-53 - Readme.txt

Kind regards

Tushar Bénard

Please evaluate the post if you find it useful!

How to set up the ASDM/HTTP access for Cisco ASA firewall

Hi all

I am looking for a solution / guide that will allow our ASA 5510, V8.4 (5) Firewall, ASDM version 6.4 (9) to help users Active Directory. I want to activate our administrators to access the ASA via ASDM using their AD accounts (a local administrator account also exist but not a password of General knowledge)

Anyone would be abe to advise on a guide / Solution.

Thank you very much

If that you issue correctly you want active tpo AD authention for AMPS/HTTP access to the ASA. If it is correct that you have need of the following using the CLI to enable that command

ASA-32-22 (config) # aaa authentication http console?

set up the mode commands/options:

LOCAL server predefined Protocol AAA 'local' tag

Name WORD of RADIUS or GANYMEDE + aaa-server for the administrative group

authentication

After the console you needd to defind the name of the AD server you have configured on the SAA.

You can do the same thing by using ASDM:

Change LOCAL to the announcement that there are listed.

I hope that answers your question.

Thank you

Jeet Kumar

Cisco asa 5505 and centos VPN server connection

Hi all

Please I want to set up a VPN between Cisco asa 5505 and centos server.

Here's my senerio

-------------------------

ASA 5505

Public IP 155.155.155.2

Local NETWORK: 192.168.6.X

CentOS Server

------------------

Public ip address: 155.155.155.6

Thank you guys

Apology, do you mean access remote VPN Client of hundred BONE for Cisco ASA 5505?

If the remote access, here are the sample configuration:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

Cisco ASA 5505 site for multiple subnet of the site.

Hello. I need help to configure my cisco asa 5505.

I set up a VPN between two ASA 5505 tunnel

Site 1:

Subnet 192.168.77.0

Site 2:

Have multiple VLANs and now the tunnel goes to vlan400 - 192.168.1.0

What I need help:

Site 1, I need to be able to reach a different virtual LAN on site 2. vlan480 - 192.168.20.0

And 1 site I have to reach 192.168.77.0 subnet of vlan480 - 192.168.20.0

Vlan480 is used for phones. In vlan480, we have a PABX.

Is this possible to do?

Any help would be much appreciated!

Config site 2:

: Saved

:

ASA Version 7.2 (2)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

names of

name 192.168.1.250 DomeneServer

name of 192.168.1.10 NotesServer

name 192.168.1.90 Steadyily

name 192.168.1.97 TerminalServer

name 192.168.1.98 eyeshare w8

name 192.168.50.10 w8-print

name 192.168.1.94 w8 - app

name 192.168.1.89 FonnaFlyMedia

!

interface Vlan1

nameif Vlan1

security-level 100

IP 192.168.200.100 255.255.255.0

OSPF cost 10

!

interface Vlan2

nameif outside

security-level 0

IP address 79.x.x.226 255.255.255.224

OSPF cost 10

!

interface Vlan400

nameif vlan400

security-level 100

IP 192.168.1.1 255.255.255.0

OSPF cost 10

!

interface Vlan450

nameif Vlan450

security-level 100

IP 192.168.210.1 255.255.255.0

OSPF cost 10

!

interface Vlan460

nameif Vlan460-SuldalHotell

security-level 100

IP 192.168.2.1 255.255.255.0

OSPF cost 10

!

interface Vlan461

nameif Vlan461-SuldalHotellGjest

security-level 100

address 192.168.3.1 IP 255.255.255.0

OSPF cost 10

!

interface Vlan462

Vlan462-Suldalsposten nameif

security-level 100

192.168.4.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan470

nameif vlan470-Kyrkjekontoret

security-level 100

IP 192.168.202.1 255.255.255.0

OSPF cost 10

!

interface Vlan480

nameif vlan480 Telefoni

security-level 100

address 192.168.20.1 255.255.255.0

OSPF cost 10

!

interface Vlan490

nameif Vlan490-QNapBackup

security-level 100

IP 192.168.10.1 255.255.255.0

OSPF cost 10

!

interface Vlan500

nameif Vlan500-HellandBadlands

security-level 100

192.168.30.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan510

Vlan510-IsTak nameif

security-level 100

192.168.40.1 IP address 255.255.255.0

OSPF cost 10

!

interface Vlan600

nameif Vlan600-SafeQ

security-level 100

192.168.50.1 IP address 255.255.255.0

OSPF cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 500

switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610

switchport mode trunk

!

interface Ethernet0/3

switchport access vlan 490

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd encrypted x

passive FTP mode

clock timezone WAT 1

DNS server-group DefaultDNS

domain default.domain.invalid

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

Lotus_Notes_Utgaaande tcp service object-group

UT og Frim Notes Description til alle

area of port-object eq

port-object eq ftp

port-object eq www

EQ object of the https port

port-object eq lotusnotes

EQ Port pop3 object

EQ pptp Port object

EQ smtp port object

Lotus_Notes_inn tcp service object-group

Description of the inn og alle til Notes

port-object eq www

port-object eq lotusnotes

EQ Port pop3 object

EQ smtp port object

object-group service Reisebyraa tcp - udp

3702 3702 object-port Beach

5500 5500 object-port Beach

range of object-port 9876 9876

object-group service Remote_Desktop tcp - udp

Description Tilgang til Remote Desktop

3389 3389 port-object range

object-group service Sand_Servicenter_50000 tcp - udp

Description program tilgang til sand service AS

object-port range 50000 50000

VNC_Remote_Admin tcp service object-group

Description Fra ¥ oss til alle

5900 5900 port-object range

object-group service Printer_Accept tcp - udp

9100 9100 port-object range

port-object eq echo

ICMP-type of object-group Echo_Ping

echo ICMP-object

response to echo ICMP-object

object-group service Print tcp

9100 9100 port-object range

FTP_NADA tcp service object-group

Suldalsposten NADA tilgang description

port-object eq ftp

port-object eq ftp - data

Telefonsentral tcp service object-group

Hoftun description

port-object eq ftp

port-object eq ftp - data

port-object eq www

EQ object of the https port

port-object eq telnet

Printer_inn_800 tcp service object-group

Fra 800 thought-out og inn til 400 port 7777 description

range of object-port 7777 7777

Suldalsposten tcp service object-group

Description send av mail hav Mac Mail at - Ã ¥ nrep smtp

EQ Port pop3 object

EQ smtp port object

http2 tcp service object-group

Beach of port-object 81 81

object-group service DMZ_FTP_PASSIVE tcp - udp

55536 56559 object-port Beach

object-group service DMZ_FTP tcp - udp

20 21 object-port Beach

object-group service DMZ_HTTPS tcp - udp

Beach of port-object 443 443

object-group service DMZ_HTTP tcp - udp

8080 8080 port-object range

DNS_Query tcp service object-group

of domain object from the beach

object-group service DUETT_SQL_PORT tcp - udp

Description for a mellom andre og duett Server nett

54659 54659 object-port Beach

outside_access_in of access allowed any ip an extended list

outside_access_out of access allowed any ip an extended list

vlan400_access_in list extended access deny ip any host 149.20.56.34

vlan400_access_in list extended access deny ip any host 149.20.56.32

vlan400_access_in of access allowed any ip an extended list

Vlan450_access_in list extended access deny ip any host 149.20.56.34

Vlan450_access_in list extended access deny ip any host 149.20.56.32

Vlan450_access_in of access allowed any ip an extended list

Vlan460_access_in list extended access deny ip any host 149.20.56.34

Vlan460_access_in list extended access deny ip any host 149.20.56.32

Vlan460_access_in of access allowed any ip an extended list

vlan400_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande

vlan400_access_out list extended access permit tcp any host DomeneServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host TerminalServer object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host http2 object-group Steadyily

vlan400_access_out list extended access permit tcp any host NotesServer object-group Lotus_Notes_inn

vlan400_access_out list extended access permit tcp any host NotesServer object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8-eyeshare object-group Remote_Desktop

vlan400_access_out allowed extended access list tcp any host w8 - app object-group Remote_Desktop

vlan400_access_out list extended access permit tcp any host FonnaFlyMedia range 8400-8600

vlan400_access_out list extended access permit udp any host FonnaFlyMedia 9000 9001 range

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host DomeneServer

vlan400_access_out list extended access permitted tcp 192.168.4.0 255.255.255.0 host w8 - app object-group DUETT_SQL_PORT

Vlan500_access_in list extended access deny ip any host 149.20.56.34

Vlan500_access_in list extended access deny ip any host 149.20.56.32

Vlan500_access_in of access allowed any ip an extended list

vlan470_access_in list extended access deny ip any host 149.20.56.34

vlan470_access_in list extended access deny ip any host 149.20.56.32

vlan470_access_in of access allowed any ip an extended list

Vlan490_access_in list extended access deny ip any host 149.20.56.34

Vlan490_access_in list extended access deny ip any host 149.20.56.32

Vlan490_access_in of access allowed any ip an extended list

Vlan450_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan1_access_out of access allowed any ip an extended list

Vlan1_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan1_access_out deny ip extended access list a whole

Vlan1_access_out list extended access permit icmp any any echo response

Vlan460_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit icmp any any Echo_Ping object-group

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTPS

Vlan490_access_out list extended access permit tcp any host 192.168.10.10 object-group DMZ_HTTP

Vlan500_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit icmp any any Echo_Ping object-group

vlan470_access_out list extended access permit tcp any host 192.168.202.10 - group Remote_Desktop object

Vlan510_access_out list extended access permit icmp any any Echo_Ping object-group

vlan480_access_out of access allowed any ip an extended list

Vlan510_access_in of access allowed any ip an extended list

Vlan600_access_in of access allowed any ip an extended list

Vlan600_access_out list extended access permit icmp any one

Vlan600_access_out list extended access permit tcp any host w8-print object-group Remote_Desktop

Vlan600_access_out list extended access permitted tcp 192.168.1.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.202.0 255.255.255.0 host w8-printing eq www

Vlan600_access_out list extended access permitted tcp 192.168.210.0 255.255.255.0 host w8-printing eq www

Vlan600_access_in_1 of access allowed any ip an extended list

Vlan461_access_in of access allowed any ip an extended list

Vlan461_access_out list extended access permit icmp any any Echo_Ping object-group

vlan400_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap_1 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

outside_20_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.77.0 255.255.255.0

access-list Vlan462-Suldalsposten_access_in extended ip allowed any one

access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo response

access-list Vlan462-Suldalsposten_access_in_1 extended ip allowed any one

pager lines 24

Enable logging

asdm of logging of information

MTU 1500 Vlan1

Outside 1500 MTU

vlan400 MTU 1500

MTU 1500 Vlan450

MTU 1500 Vlan460-SuldalHotell

MTU 1500 Vlan461-SuldalHotellGjest

vlan470-Kyrkjekontoret MTU 1500

MTU 1500 vlan480-Telefoni

MTU 1500 Vlan490-QNapBackup

MTU 1500 Vlan500-HellandBadlands

MTU 1500 Vlan510-IsTak

MTU 1500 Vlan600-SafeQ

MTU 1500 Vlan462-Suldalsposten

no failover

Monitor-interface Vlan1

interface of the monitor to the outside

the interface of the monitor vlan400

the interface of the monitor Vlan450

the interface of the Vlan460-SuldalHotell monitor

the interface of the Vlan461-SuldalHotellGjest monitor

the interface of the vlan470-Kyrkjekontoret monitor

Monitor-interface vlan480-Telefoni

the interface of the Vlan490-QNapBackup monitor

the interface of the Vlan500-HellandBadlands monitor

Monitor-interface Vlan510-IsTak

Monitor-interface Vlan600-SafeQ

the interface of the monitor Vlan462-Suldalsposten

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 522.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

vlan400_nat0_outbound (vlan400) NAT 0 access list

NAT (vlan400) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan450) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0

NAT (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0

NAT (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0

NAT (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns

NAT (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0

NAT (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0

NAT (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0

NAT (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0

static (vlan400, external) 79.x.x.x DomeneServer netmask 255.255.255.255

static (vlan470-Kyrkjekontoret, external) 79.x.x.x 192.168.202.10 netmask 255.255.255.255

static (vlan400, external) 79.x.x.x NotesServer netmask 255.255.255.255 dns

static (vlan400, external) 79.x.x.231 netmask 255.255.255.255 TerminalServer

static (vlan400, external) 79.x.x.234 Steadyily netmask 255.255.255.255

static (vlan400, outside) w8-eyeshare netmask 255.255.255.255 79.x.x.232

static (Vlan490-QNapBackup, external) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns

static (Vlan600-SafeQ, external) 79.x.x.235 w8 - print subnet mask 255.255.255.255

static (vlan400, outside) w8 - app netmask 255.255.255.255 79.x.x.236

static (Vlan450, vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

(Vlan500-HellandBadlands, vlan400) static 192.168.30.0 192.168.30.0 netmask 255.255.255.0

(vlan400, Vlan500-HellandBadlands) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

(vlan400, Vlan450) static 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, external) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255

static (Vlan462-Suldalsposten, vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (vlan400, Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (vlan400, Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan600-SafeQ, vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

static (Vlan450, Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (vlan470-Kyrkjekontoret, Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0

Access-group interface Vlan1 Vlan1_access_out

Access-group outside_access_in in interface outside

Access-group outside_access_out outside interface

Access-group vlan400_access_in in the vlan400 interface

vlan400_access_out group access to the interface vlan400

Access-group Vlan450_access_in in the Vlan450 interface

Access-group interface Vlan450 Vlan450_access_out

Access-group interface Vlan460-SuldalHotell Vlan460_access_in

Access-group interface Vlan460-SuldalHotell Vlan460_access_out

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_in

Access-group interface Vlan461-SuldalHotellGjest Vlan461_access_out

Access-group vlan470_access_in in interface vlan470-Kyrkjekontoret

vlan470_access_out access to the interface vlan470-Kyrkjekontoret group

access to the interface vlan480-Telefoni, vlan480_access_out group

Access-group interface Vlan490-QNapBackup Vlan490_access_in

Access-group interface Vlan490-QNapBackup Vlan490_access_out

Access-group interface Vlan500-HellandBadlands Vlan500_access_in

Access-group interface Vlan500-HellandBadlands Vlan500_access_out

Access-group interface Vlan510-IsTak Vlan510_access_in

Access-group interface Vlan510-IsTak Vlan510_access_out

Access-group Vlan600_access_in_1 interface Vlan600-SafeQ

Access-group Vlan600_access_out interface Vlan600-SafeQ

Access-group Vlan462-Suldalsposten_access_in_1 Vlan462-Suldalsposten interface

Access-group Vlan462-Suldalsposten_access_out_1 Vlan462-Suldalsposten interface

Route outside 0.0.0.0 0.0.0.0 79.x.x.225 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

x x encrypted privilege 15 password username

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.210.0 255.255.255.0 Vlan450

http 192.168.200.0 255.255.255.0 Vlan1

http 192.168.1.0 255.255.255.0 vlan400

No snmp server location

No snmp Server contact

SNMP-Server Community public

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 20 match address outside_20_cryptomap_1

card crypto outside_map 20 set pfs

peer set card crypto outside_map 20 62.92.159.137

outside_map crypto 20 card value transform-set ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

ISAKMP crypto enable vlan400

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

tunnel-group 62.92.159.137 type ipsec-l2l

IPSec-attributes tunnel-group 62.92.159.137

pre-shared-key *.

Telnet 192.168.200.0 255.255.255.0 Vlan1

Telnet 192.168.1.0 255.255.255.0 vlan400

Telnet timeout 5

SSH 171.68.225.216 255.255.255.255 outside

SSH timeout 5

Console timeout 0

dhcpd update dns both

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1

!

dhcpd option 6 ip 81.167.36.3 81.167.36.11 outside interface

!

dhcpd address 192.168.1.100 - 192.168.1.225 vlan400

dhcpd option ip 6 DomeneServer 81.167.36.11 interface vlan400

dhcpd option 3 ip 192.168.1.1 interface vlan400

vlan400 enable dhcpd

!

dhcpd address 192.168.210.100 - 192.168.210.200 Vlan450

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450

dhcpd ip interface 192.168.210.1 option 3 Vlan450

enable Vlan450 dhcpd

!

dhcpd address 192.168.2.100 - 192.168.2.150 Vlan460-SuldalHotell

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell

dhcpd 192.168.2.1 ip interface option 3 Vlan460-SuldalHotell

dhcpd enable Vlan460-SuldalHotell

!

dhcpd address 192.168.3.100 - 192.168.3.200 Vlan461-SuldalHotellGjest

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest

dhcpd ip interface 192.168.3.1 option 3 Vlan461-SuldalHotellGjest

dhcpd enable Vlan461-SuldalHotellGjest

!

dhcpd address 192.168.202.100 - 192.168.202.199 vlan470-Kyrkjekontoret

interface of dhcpd option 3 ip 192.168.202.1 vlan470-Kyrkjekontoret

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret

dhcpd enable vlan470-Kyrkjekontoret

!

dhcpd option 3 192.168.20.1 ip interface vlan480-Telefoni

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni

!

dhcpd address 192.168.10.80 - 192.168.10.90 Vlan490-QNapBackup

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup

dhcpd 192.168.10.1 ip interface option 3 Vlan490-QNapBackup

!

dhcpd address 192.168.30.100 - 192.168.30.199 Vlan500-HellandBadlands

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands

dhcpd ip interface 192.168.30.1 option 3 Vlan500-HellandBadlands

dhcpd enable Vlan500-HellandBadlands

!

dhcpd address 192.168.40.100 - 192.168.40.150 Vlan510-IsTak

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak

dhcpd 3 ip Vlan510-IsTak 192.168.40.1 option interface

Vlan510-IsTak enable dhcpd

!

dhcpd address 192.168.50.150 - 192.168.50.199 Vlan600-SafeQ

dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ

Vlan600-SafeQ enable dhcpd

!

dhcpd address 192.168.4.100 - 192.168.4.150 Vlan462-Suldalsposten

interface option 6 ip DomeneServer 81.167.36.11 Vlan462-Suldalsposten dhcpd

interface ip dhcpd option 3 Vlan462-Suldalsposten 192.168.4.1

Vlan462-Suldalsposten enable dhcpd

!

!

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

!

context of prompt hostname

Cryptochecksum:x

: end

Site 1 config:

: Saved

:

ASA Version 7.2 (4)

!

ciscoasa hostname

domain default.domain.invalid

activate the password encrypted x

passwd encrypted x

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.77.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

PPPoE Telenor customer vpdn group

IP address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 15

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

DNS server-group DefaultDNS

domain default.domain.invalid

outside_access_in list extended access permit icmp any any disable log echo-reply

access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 524.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Access-group outside_access_in in interface outside

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Enable http server

http 192.168.77.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set pfs

peer set card crypto outside_map 1 79.160.252.226

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow inside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet 192.168.77.0 255.255.255.0 inside

Telnet timeout 5

SSH timeout 5

Console timeout 0

VPDN group Telenor request dialout pppoe

VPDN group Telenor localname x

VPDN group Telenor ppp authentication chap

VPDN x x local store password username

dhcpd outside auto_config

!

dhcpd address 192.168.77.100 - 192.168.77.130 inside

dhcpd dns 192.168.77.1 on the inside interface

dhcpd option 6 ip 130.67.15.198 193.213.112.4 interface inside

dhcpd allow inside

!

dhcpd option 6 ip 130.67.15.198 193.213.112.4 outside interface

!

tunnel-group 79.160.252.226 type ipsec-l2l

IPSec-attributes tunnel-group 79.160.252.226

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:x

: end

Hello

The addition of a new network to the existing VPN L2L should be a fairly simple process.

Essentially, you need to add the network of the Crypto present ACL configurations "crypto map" . You also need to configure the NAT0 configuration for it in the appropriate interfaces of the SAA. These configurations are all made on both ends of the VPN L2L connection.

Looking at your configurations above it would appear that you need to the following configurations

SITE 1
- We add the new network at the same time the crypto ACL and ACL NAT0
access extensive list ip 192.168.77.0 outside_1_cryptomap allow 255.255.255.0 192.168.20.0 255.255.255.0

access extensive list ip 192.168.77.0 inside_nat0_outbound allow 255.255.255.0 192.168.20.0 255.255.255.0

SITE 2
- We add new ACL crypto network
- We create a new NAT0 configuration for interface Vlan480 because there is no previous NAT0 configuration
outside_20_cryptomap_1 to access extended list ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

Comment by VLAN480-NAT0 NAT0 for VPN access-list

access-list VLAN480-NAT0 ip 192.168.20.0 allow 255.255.255.0 192.168.77.0 255.255.255.0

NAT 0 access-list VLAN480-NAT0 (vlan480-Telefoni)

These configurations should pretty much do the trick.

Let me know if it worked

-Jouni

Problem with the VPN site to site for the two cisco asa 5505

Starting with cisco asa. I wanted to do a vpn site-to site of cisco. I need help. I can't ping from site A to site B and vice versa.

Cisco Config asa1

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 172.xxx.xx.4 255.255.240.0
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.60.2 255.255.255.0
!
passive FTP mode
network of the Lan_Outside object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
Access extensive list ip 192.168.60.0 Outside_cryptomap allow 255.255.255.0 192.168.1.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_2 of object-group a
network of the Lan_Outside object
NAT (inside, outside) interface dynamic dns
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 172.110.xx.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.60.0 255.255.255.0 inside
http 96.xx.xx.222 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 96.88.75.222
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
inside access management

dhcpd address 192.168.60.50 - 192.168.60.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_96.xx.xx.222 group strategy
attributes of Group Policy GroupPolicy_96.xx.xx.222
VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 96.xx.xx.222 type ipsec-l2l
tunnel-group 96.xx.xx.222 General-attributes
Group - default policy - GroupPolicy_96.xx.xx.222
96.XX.XX.222 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco ASA 2 config

interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
IP address 96.xx.xx.222 255.255.255.248
!
interface Vlan2
nameif inside
security-level 100
IP 192.168.1.254 255.255.255.0
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
network of the Lan_Outside object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.60.0_24 object
192.168.60.0 subnet 255.255.255.0
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_2
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_3
ip protocol object
icmp protocol object
object-group Protocol DM_INLINE_PROTOCOL_4
ip protocol object
icmp protocol object
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_2 of object-group 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
Outside_cryptomap list extended access allow DM_INLINE_PROTOCOL_3 of object-group a
Outside_access_in list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
Inside_access_in list extended access allow DM_INLINE_PROTOCOL_4 of object-group a
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.60.0_24 NETWORK_OBJ_192.168.60.0_24 non-proxy-arp-search of route static destination
!
network of the Lan_Outside object
dynamic NAT (all, outside) interface
Access-group Outside_access_in in interface outside
Inside_access_in access to the interface inside group
Route outside 0.0.0.0 0.0.0.0 96.xx.xx.217 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 172.xxx.xx.4 255.255.255.255 outside
No snmp server location
No snmp Server contact
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto Outside_map 1 corresponds to the address Outside_cryptomap
card crypto Outside_map 1 set peer 172.110.74.4
card crypto Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
card crypto Outside_map 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
Outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0

dhcpd address 192.168.1.50 - 192.168.1.100 inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
AnyConnect essentials
internal GroupPolicy_172.xxx.xx.4 group strategy
attributes of Group Policy GroupPolicy_172.xxx.xx.4
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
username admin privilege 15 encrypted password f3UhLvUj1QsXsuK7
tunnel-group 172.xxx.xx.4 type ipsec-l2l
tunnel-group 172.xxx.xx.4 General-attributes
Group - default policy - GroupPolicy_172.xxx.xx.4
172.xxx.XX.4 group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
inspect the icmp error
inspect the http

For IKEv2 configuration: (example config, you can change to encryption, group,...)

-You must add the declaration of exemption nat (see previous answer).

-set your encryption domain ACLs:

access-list-TRAFFIC IPSEC allowed extended LOCAL REMOTE - LAN LAN ip

-Set the Phase 1:

Crypto ikev2 allow outside
IKEv2 crypto policy 10
3des encryption
the sha md5 integrity
Group 5
FRP sha
second life 86400

-Set the Phase 2:

Crypto ipsec ikev2 ipsec IKEV2-PROPOSAL
Esp aes encryption protocol
Esp integrity sha-1 protocol

-set the Group of tunnel

tunnel-group REMOTE-PUBLIC-IP type ipsec-l2l
REMOTE-PUBLIC-IP tunnel-group ipsec-attributes
IKEv2 authentication remote pre-shared-key cisco123

IKEv2 authentication local pre-shared-key cisco123

-Define the encryption card

address for correspondence CRYPTOMAP 10 - TRAFFIC IPSEC crypto map
card crypto CRYPTOMAP 10 peer set REMOTE-PUBLIC-IP
card crypto CRYPTOMAP 10 set ipsec ikev2-IKEV2-PROPOSAL
CRYPTOMAP interface card crypto outside
crypto isakmp identity address

On your config, you have all these commands but on your VPN config, you mix ikev1 and ikev2. You have also defined political different ikev2. Just do a bit of cleaning and reached agreement on a 1 strategy for the two site (encryption, hash,...)

Thank you

Cisco asa 5585 syslog options for ips?

We have CISCO ASA 5585 with a separate module for the IPS, I want to know what are the options for configuring syslog? Its almost impossible to find; and there are some forums on the internet that says cisco ips store the logs in native format / owner and cannot be exported.

Please provide details

Thank you.

Click on the following link

https://supportforums.Cisco.com/document/47881/SDEE-and-IPS

How Anyconnect VPN users will connect with cisco ASA, which uses the server (domain controller) Radius for authentication

Hi team

Hope you do well. !!!

currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.

1 users will connect: user advanced browser on SSL VPN pop past username and password.

2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.

3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.

4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.

This is my requirement, so someone please guide me how to set up step by step.

1. how to set up the Radius Server?

2. how to configure CISCO ASA?

Thanks in advance.

Hey Chick,

Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.

http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...

Hope this helps

Knockaert

Cisco ASA 5505 VPN Site to Site

Hi all

First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

I'd appreciate any help that can be directed to this problem please. Slowly losing my mind

Please see details below:

Two ADMS are 7.1

IOS

ASA 1

Nadia

:

ASA Version 9.0 (1)

!

hostname PAYBACK

activate the encrypted password of HSMurh79NVmatjY0

volatile xlate deny tcp any4 any4

volatile xlate deny tcp any4 any6

volatile xlate deny tcp any6 any4

volatile xlate deny tcp any6 any6

volatile xlate deny udp any4 any4 eq field

volatile xlate deny udp any4 any6 eq field

volatile xlate deny udp any6 any4 eq field

volatile xlate deny udp any6 any6 eq field

2KFQnbNIdI.2KYOU encrypted passwd

names of

local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

link Trunk Description of SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

nameif outside

security-level 0

IP 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

address 192.168.20.1 255.255.255.0

!

Vlan30 interface

nameif printers

security-level 100

192.168.30.1 IP address 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

192.168.40.1 IP address 255.255.255.0

!

connection line banner welcome to the Payback loyalty systems

boot system Disk0: / asa901 - k8.bin

passive FTP mode

summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

domain-lookup DNS servers

DNS lookup domain printers

DNS domain-lookup wireless

DNS server-group DefaultDNS

Server name 83.147.160.2

Server name 83.147.160.130

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

ftp_server network object

network of the Internal_Report_Server object

Home 192.168.20.21

Description address internal automated report server

network of the Report_Server object

Home 89.234.126.9

Description of server automated reports

service object RDP

service destination tcp 3389 eq

Description RDP to the server

network of the Host_QA_Server object

Home 89.234.126.10

Description QA host external address

network of the Internal_Host_QA object

Home 192.168.20.22

host of computer virtual Description for QA

network of the Internal_QA_Web_Server object

Home 192.168.20.23

Description Web Server in the QA environment

network of the Web_Server_QA_VM object

Home 89.234.126.11

Server Web Description in the QA environment

service object SQL_Server

destination eq 1433 tcp service

network of the Demo_Server object

Home 89.234.126.12

Description server set up for the product demo

network of the Internal_Demo_Server object

Home 192.168.20.24

Internal description of the demo server IP address

network of the NETWORK_OBJ_192.168.20.0_24 object

subnet 192.168.20.0 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_26 object

255.255.255.192 subnet 192.168.50.0

network of the NETWORK_OBJ_192.168.0.0_16 object

Subnet 192.168.0.0 255.255.0.0

service object MSSQL

destination eq 1434 tcp service

MSSQL port description

VPN network object

192.168.50.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.50.0_24 object

192.168.50.0 subnet 255.255.255.0

service object TS

tcp destination eq 4400 service

service of the TS_Return object

tcp source eq 4400 service

network of the External_QA_3 object

Home 89.234.126.13

network of the Internal_QA_3 object

Home 192.168.20.25

network of the Dev_WebServer object

Home 192.168.20.27

network of the External_Dev_Web object

Home 89.234.126.14

network of the CIX_Subnet object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_84.39.233.50 object

Home 84.39.233.50

network of the NETWORK_OBJ_92.51.193.158 object

Home 92.51.193.158

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

the tcp destination eq ftp service object

the purpose of the tcp destination eq netbios-ssn service

the purpose of the tcp destination eq smtp service

service-object TS

the Payback_Internal object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

service-object TS

service-object, object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object RDP

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

object-group service DM_INLINE_SERVICE_5

purpose purpose of the MSSQL service

service-object RDP

service-object TS

object-group Protocol TCPUDP

object-protocol udp

object-tcp protocol

object-group service DM_INLINE_SERVICE_6

service-object TS

service-object, object TS_Return

the purpose of the service tcp destination eq www

the purpose of the tcp destination eq https service

Note to outside_access_in to access list that this rule allows Internet the interal server.

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-list of FTP access

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list of SMTP access

Note to outside_access_in to access list Net Bios

Comment from outside_access_in-SQL access list

Comment from outside_access_in-list to access TS - 4400

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

access host access-list outside_access_in note rule internal QA

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

Notice on the outside_access_in of the access-list access to the internal Web server:

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-HTTP access list

Comment from outside_access_in-RDP access list

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

Note to outside_access_in to access list rule allowing access to the demo server

Notice on the outside_access_in of the access-list allowed:

Comment from outside_access_in-RDP access list

Comment from outside_access_in-list to access MSSQL

outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

Note to outside_access_in access to the development Web server access list

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

print the access-list AnyConnect_Client_Local_Print Note Windows port

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

Enable logging

information recording console

asdm of logging of information

address record

[email protected] / * /.

the journaling recipient

[email protected] / * /.

level alerts

Outside 1500 MTU

Within 1500 MTU

MTU 1500 servers

MTU 1500 printers

MTU 1500 wireless

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-711 - 52.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (wireless, outdoors) source Dynamics one interface

NAT (servers, outside) no matter what source dynamic interface

NAT (servers, external) static source Internal_Report_Server Report_Server

NAT (servers, external) static source Internal_Host_QA Host_QA_Server

NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

NAT (servers, external) static source Internal_Demo_Server Demo_Server

NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

NAT (servers, external) static source Internal_QA_3 External_QA_3

NAT (servers, external) static source Dev_WebServer External_Dev_Web

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 84.39.233.50
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 activate out of service the customer port 443
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 192.168.10.0 255.255.255.0 inside
SSH 192.168.40.0 255.255.255.0 wireless
SSH timeout 5
Console timeout 0

dhcpd 192.168.0.1 dns
dhcpd outside auto_config
!
dhcpd address 192.168.10.21 - 192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
paybackloyalty.com dhcpd option 15 inside ascii interface
dhcpd allow inside
!
dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
dhcpd update dns of the wireless interface
dhcpd option 15 ascii paybackloyalty.com wireless interface
dhcpd activate wireless
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal Payback_VPN group strategy
attributes of Group Policy Payback_VPN
VPN - 10 concurrent connections
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of 83.147.160.2 DNS server 83.147.160.130
VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
internal GroupPolicy_84.39.233.50 group strategy
attributes of Group Policy GroupPolicy_84.39.233.50
VPN-tunnel-Protocol ikev1, ikev2
Noelle XB/IpvYaATP.2QYm username encrypted password
Noelle username attributes
VPN-group-policy Payback_VPN
type of remote access service
username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
Éanna attributes username
VPN-group-policy Payback_VPN
type of remote access service
Michael qpbleUqUEchRrgQX of encrypted password username
user name Michael attributes
VPN-group-policy Payback_VPN
type of remote access service
username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
user name Danny attributes
VPN-group-policy Payback_VPN
type of remote access service
Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
user name Aileen attributes
VPN-group-policy Payback_VPN
type of remote access service
Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
Aidan username attributes
VPN-group-policy Payback_VPN
type of remote access service
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
shane.c iqGMoWOnfO6YKXbw encrypted password username
username shane.c attributes
VPN-group-policy Payback_VPN
type of remote access service
Shane uYePLcrFadO9pBZx of encrypted password username
user name Shane attributes
VPN-group-policy Payback_VPN
type of remote access service
username, encrypted James TdYPv1pvld/hPM0d password
user name James attributes
VPN-group-policy Payback_VPN
type of remote access service
Mark yruxpddqfyNb.qFn of encrypted password username
user name brand attributes
type of service admin
username password of Mary XND5FTEiyu1L1zFD encrypted
user name Mary attributes
VPN-group-policy Payback_VPN
type of remote access service
Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
Massimo username attributes
VPN-group-policy Payback_VPN
type of remote access service
type tunnel-group Payback_VPN remote access
attributes global-tunnel-group Payback_VPN
VPN1 address pool
Group Policy - by default-Payback_VPN
IPSec-attributes tunnel-group Payback_VPN
IKEv1 pre-shared-key *.
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 General-attributes
Group - default policy - GroupPolicy_84.39.233.50
IPSec-attributes tunnel-group 84.39.233.50
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
Global class-card class
match default-inspection-traffic
!
!
World-Policy policy-map
Global category
inspect the dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the pptp
inspect the rsh
inspect the rtsp
inspect the sip
inspect the snmp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect xdmcp
inspect the icmp error
inspect the icmp
!
service-policy-international policy global
192.168.20.21 SMTP server
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0 (1)

!

Payback-CIX hostname

activate the encrypted password of HSMurh79NVmatjY0

2KFQnbNIdI.2KYOU encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

Speed 100

full duplex

!

interface Ethernet0/1

Description this port connects to the local network VIRTUAL 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

IP 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

IP 192.168.100.1 address 255.255.255.0

!

banner welcome to Payback loyalty - CIX connection line

passive FTP mode

summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

DNS domain-lookup outside

DNS lookup field inside

DNS server-group defaultDNS

Name-Server 8.8.8.8

Server name 8.8.4.4

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

network of the host-CIX-1 object

host 192.168.100.2

Description This is the VM server host machine

network object host-External_CIX-1

Home 84.39.233.51

Description This is the external IP address of the server the server VM host

service object RDP

source between 1-65535 destination eq 3389 tcp service

network of the Payback_Office object

Home 92.51.193.158

service object MSQL

destination eq 1433 tcp service

network of the Development_OLTP object

Home 192.168.100.10

Description for Eiresoft VM

network of the External_Development_OLTP object

Home 84.39.233.52

Description This is the external IP address for the virtual machine for Eiresoft

network of the Eiresoft object

Home 146.66.160.70

Contractor s/n description

network of the External_TMC_Web object

Home 84.39.233.53

Description Public address to the TMC Web server

network of the TMC_Webserver object

Home 192.168.100.19

Internal description address TMC Webserver

network of the External_TMC_OLTP object

Home 84.39.233.54

External targets OLTP IP description

network of the TMC_OLTP object

Home 192.168.100.18

description of the interal target IP address

network of the External_OLTP_Failover object

Home 84.39.233.55

IP failover of the OLTP Public description

network of the OLTP_Failover object

Home 192.168.100.60

Server failover OLTP description

network of the servers object

subnet 192.168.20.0 255.255.255.0

being Wired network

192.168.10.0 subnet 255.255.255.0

the subject wireless network

192.168.40.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.100.0_24 object

255.255.255.0 subnet 192.168.100.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

network of the Eiresoft_2nd object

Home 137.117.217.29

Description 2nd Eiresoft IP

network of the Dev_Test_Webserver object

Home 192.168.100.12

Description address internal to the Test Server Web Dev

network of the External_Dev_Test_Webserver object

Home 84.39.233.56

Description This is the PB Dev Test Webserver

network of the NETWORK_OBJ_192.168.1.0_24 object

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_2

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_3

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_4

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_5

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_6

service-object MSQL

service-object RDP

the Payback_Intrernal object-group network

object-network servers

Wired network-object

wireless network object

object-group service DM_INLINE_SERVICE_7

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_8

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_9

service-object MSQL

service-object RDP

object-group service DM_INLINE_SERVICE_10

service-object MSQL

service-object RDP

the tcp destination eq ftp service object

object-group service DM_INLINE_SERVICE_11

service-object RDP

the tcp destination eq ftp service object

outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

Note to access list OLTP Development Office of recovery outside_access_in

outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

Comment from outside_access_in-access Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

Note to outside_access_in access to OLTP for target recovery Office Access list

outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

Note to outside_access_in access from the 2nd IP Eiresoft access list

outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (inside, outside) source Dynamics one interface

NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

NAT (inside, outside) static source Development_OLTP External_Development_OLTP

NAT (inside, outside) static source TMC_Webserver External_TMC_Web

NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

the ssh LOCAL console AAA authentication

Enable http server

http 92.51.193.156 255.255.255.252 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

Crypto ipsec ikev2 ipsec-proposal OF

encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 92.51.193.158
card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
outside_map interface card crypto outside
trustpool crypto ca policy
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 10
authentication crack
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 20
authentication rsa - sig
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 40
authentication crack
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 50
authentication rsa - sig
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 60
preshared authentication
aes-192 encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 70
authentication crack
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 80
authentication rsa - sig
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 90
preshared authentication
aes encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 100
authentication crack
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 110
authentication rsa - sig
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 120
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 130
authentication crack
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 140
authentication rsa - sig
the Encryption
sha hash
Group 2
life 86400
IKEv1 crypto policy 150
preshared authentication
the Encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH 77.75.100.208 255.255.255.240 outside
SSH 92.51.193.156 255.255.255.252 outside
SSH timeout 5
Console timeout 0

dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal GroupPolicy_92.51.193.158 group strategy
attributes of Group Policy GroupPolicy_92.51.193.158
VPN-tunnel-Protocol ikev1, ikev2
username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 General-attributes
Group - default policy - GroupPolicy_92.51.193.158
IPSec-attributes tunnel-group 92.51.193.158
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Hello

There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

Here are a few suggestions on what to change

ASA1

Minimal changes

the object of the LAN network

192.168.10.0 subnet 255.255.255.0

being REMOTE-LAN network

255.255.255.0 subnet 192.168.100.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

Other suggestions

These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

PAT-SOURCE network object-group

source networks internal PAT Description

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

object-network 192.168.40.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

no nat (wireless, outdoors) source Dynamics one interface

no nat (servers, outside) no matter what source dynamic interface

The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

network of the SERVERS object

subnet 192.168.20.0 255.255.255.0

network of the VPN-POOL object

192.168.50.0 subnet 255.255.255.0

NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

ASA2

Minimal changes

the object of the LAN network

255.255.255.0 subnet 192.168.100.0

being REMOTE-LAN network

192.168.10.0 subnet 255.255.255.0

NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

Finally, we remove the old rule that generated the ASDM.

Other suggestions

PAT-SOURCE network object-group

object-network 192.168.100.0 255.255.255.0

NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

No source (indoor, outdoor) nat Dynamics one interface

The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

Hope this makes any sense and has helped

Remember to mark a reply as the answer if it answered your question.

Feel free to ask more if necessary

-Jouni

Cisco ASA 5510 + license + AIP - SSM

Hello.

I have this box.

I have a few questions about it.

(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?

(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?

(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?

(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?

Please help me.

(1) you must Smartnet in order to download the software from the download from cisco.com site.

(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.

(3) Yes, the basic license is OK for the AIP module.

(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.

Hope that answers your questions.

A possible bug related to the Cisco ASA "show access-list"?

We had a strange problem in our configuration of ASA.

In the "show running-config:

Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

inside_access_in list extended access permitted ip object windowsusageVM any newspaper

inside_access_in list of allowed ip extended access any object testCSM

inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

inside_access_in list extended access permit ip host 172.31.254.2 any log

Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

In the "show access-list":

access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

There is a comment in the running configuration: (line 26)

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

Thanks in advance.

See the version:

Cisco Adaptive Security Appliance Software Version 4,0000 1

Version 7.1 Device Manager (3)

Updated Friday, June 14, 12 and 11:20 by manufacturers

System image file is "disk0: / asa844-1 - k8.bin.

The configuration file to the startup was "startup-config '.

fmciscoasa up to 1 hour 56 minutes

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

Number of Accelerators: 1

Could be linked to the following bug:

CSCtq12090: ACL note line is missing when the object range is set to ACL

The 8.4 fixed (6), so update to a newer version and observe again.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

Updates for Cisco ASA

Similar Questions

Maybe you are looking for