VPN on ASA-5510 with Configure a dynamic encryption card

Hi all

My name is ping, I have ASA-5510 for site to site VPN configuration, but am not clear with a few conifguration on ASA-5510 series, not sure on poin than, when I install on other sets of cisco router I can use

ASA2 (config) #crypto card outside-card 10 ipsec-isakmp

% NOTE: this new map encryption will remain disabled until a peer

and a valid access list have been configured.

........

but, when I configure ASA 5510 it as below:

mtelcoASA2 (config) # crypto?

set up the mode commands/options:

CA Certification Authority

dynamic-map set up a dynamic encryption card

IPSec transform-set set, life of the IPSec Security Association and fragmentation

ISAKMP configure ISAKMP

main activities key long-term

card to configure an encryption card

ASA2 (config) # map outside-map 10 ipsec-isakmp crypto ?

set up the mode commands/options:

Entry dynamic is a dynamic map

"Set up a dynamic crypto map" which uses for and why I can't use only "map outside-map 10 ipsec-isakmp crypto" and if not can't, can I skip this command or tell me the other way with explanation with nicely,

Thank you very much

hot topic,

Ping,

Just use crypto card outside-map 10 match/set without ipsec-isakmp key word and it will be fine.

Tags: Cisco Security

Similar Questions

Unable to connect to server vpn behind ASA 5510 with windows clients

Hi all

I've seen a number of posts on this and followed by a few documents of support on this issue, but I'm totally stuck now, nothing seems to work for me.

This is the usual scenario, I have a VPN windows 2003 Server sat on the lan deprived of our ASA 5510 firewall, and I try to get my Windows XP / 7 laptop computers to connect to it.

Within the ASDM:

(1) Server Public created for Protocol 1723

(2) Public created for the GRE protocol Server

3) created two public servers have the same public and private addresses

(4) the foregoing has created config Public Private static route in the section NAT firewall

(5) rules to Firewall 2 also created above on the external interface for both 1723 and GRE

When you try to connect, I get the following entry in the debug log.

6 August 6, 2010 17:09:37 302013 195.74.141.2 1045 1723 ChamberVPN-internal built ride connection TCP 1889195 for outside:195.74.141.2/1045 (195.74.141.2/1045) to the inside: ChamberVPN-internal/1723 (XXX.XXX.XXX.XXX/1723)

but nothing else.

The server shows not attempting a connection so I think I'm missing something on the firewall now.

Also inside interface there is a temporary rule:

Source: no

Destination: any

Service: IP

Action: enabled

This should allow all outbound traffic only as far as I know...

Any help would be greatly appreciated.

Chris

Hi Chris,

ASA newspaper indicates that the connection is interrupted because of "syn timeout. This means that asa receives no response from the Windows Server. Right now, we need to clarify some points.

1 - your vpn server committed a correct default gateway error or the path that lies in your fw interface asa.

is 2 - possible to start capturing packets on Windows Server. Hereby, we can get data flow information beetween client and server. And we can be sure that Windows Server wonders vpn.

Ufuk Güler

ASA 5510 with AIP SSM-10

I'm new to network administration and our company has an ASA 5510 with and map AIP SSM-10. On the interface ASA when I try to load Intrusion detection, he said the following:

"For IPS 5.1 (1) S205.0, use the link below to access the IPS Device Manager." (If the SSM management IP address or the port is translated, replace them accordingly in the below URL). IPS 6.0.1 or above will be fully interated ASDM. »

Unfortunately, no URL is displayed below this message and there is no documentation in the company that owns this configuration. Is there a way to reset the AIP without resetting the ASA? How can I find the IP address to be able to configure it?

The ASA CLI, you will be able to check the IP address of the AIP module:

view the details of the module

It will show you the ip address of mgmt of the module, and you can https to the IP address of your PC.

The ASA 5510 DMZ configuration

I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.

interface Ethernet0/0

Description Interface Outside

nameif outside

security-level 0

IP 1.1.1.238 255.255.255.240

!

interface Ethernet0/1

Inside the Interface Description

nameif inside

security-level 100

the IP 10.0.0.1 255.255.0.0

!

interface Ethernet0/2

DMZ Interface Description

nameif dmz

security-level 50

the IP 192.168.0.1 255.255.255.0

-partial outside the inbound ACL.

outside_access_in list extended access permit tcp any host 1.1.1.228 eq www

outside_access_in list extended access permit tcp any host 1.1.1.228 eq https

-ACL DMZ-

DMZ list extended access permit icmp any one

access-list extended DMZ permit tcp host 192.168.0.11 eq www everything

access-list extended DMZ permit tcp host 192.168.0.11 eq https all

access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all

DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0

public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255

static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Access-group interface dmz DMZ

Add:

static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0

The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.

And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.

See you soon!

AK

Difference between static and dynamic encryption card

Anyone tell me the difference between static and dynamic encryption card?

Hi Rodrigo,

Public static crypto map - identifies by the peers and traffic to encrypt explicitly. Generally used to host some tunnels with different profiles and characteristics (different partners, sites, location)

So, when you have the information of the two peers than what policies we're going to use, what is the IP on both devices we normally use static VPN.

Crypto dynamic map - is one of the ways to accommodate peer sharing the same characteristics (for example, several offices of branches share the same configuration) or peers with dynamic IP addressing (DHCP, etc.)

For more information, please visit:

https://supportforums.Cisco.com/document/12013476/crypto-map-based-IPSec...

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

VPN site to Site ASA 5510 and 871 w / dynamic IP

What is the best method of creating a VPN site-to site between an ASA 5510 and a router 871 where the 5510 has a static IP address and has 871, a dynamic IP address?

My ASA is running ASA software version 7.0 (5) and I can't find how to create a tunnel for a dynamic IP address via the ASDM. I have currently a tunnel between these two arrangements in place, but it was done by specifying the remote IP address, even if it is dynamic.

Any suggestions or pointers would be * very * appreciated.

-Adam

This can help but it does not show ASDM.

http://Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

ASA 5510 with double tis

Hello.. It is possible for cisco asa 5510 hitting the load balancing between double tis? and what will the configurations? Thanks... :D

Hello

ACB is used normally for balancing the load on network devices. Another one of my posts on this forum and I quote:

The ASA/PIX does not ACB support to date. I told her on the road map.

As a work around, you can run multiple contexts, if its possible to break your lan into two subnets.

And also allocate the Internet interfaces appropriate to each context (with the default gateway pointing to the respective service providers).

This link will help you get started:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

Please NOTE: dynamic routing and virtual private networks are not supported in Multiple context mode.

Another alternative, if WAN links end on a router (and not the firewall), you could use this router to the ACB.

Concerning

Farrukh

False claims RADIUS of customer VPN Cisco ASA 5510

Hello world

I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

What is the source of such behavior?

The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

Debugging of ASA:

-First application-

RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

-The second request-

RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

GBA debug:

-First application-

AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

The ASA config:

Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400

!

internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none

!

attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth

!

RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.

Hello

It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

If you remove this line:

authorization-server-group RADIUS01

you will see that it starts to work properly

In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

HTH

Herbert

VPN Cisco ASA 5510 - 250 licenses?

I can't find a clear answer on this. I see that only 2 SSL VPN clients are included, but if I buy an ASA 5510 (ASA5510-BUN-K9), am I allowed to use as a VPN endpoint for up to 250 customers? If so, is it a total of VPN 'site-to-site' and 'customer '?

For IPSec VPN (IPSec VPN site-to-site and remote client access), there is no additional license required as it is included in the device.

For SSL VPN, there is failure to license 2, and if you need more than 2 connections SSL VPN Client, then Yes, you must purchase an additional license (the AnyConnect Essentials or the AnyConnect license Premium depending on what you need).

ASA5505 for configuration VPN Failover ASA-5510

the best way to configure a second VPN tunnel by another carrier, to fail. The two tunnels would go to the same network a Remote Site. Is it possible to apply a metric or monitor the tunnel so that if the choice we're unavailable two choice would resume. Can you point me to the example configuration preferably with ADSM?

Hi Stewart,

Please visit this link for the same thing:

https://supportforums.Cisco.com/blog/150001

Kind regards

Aditya

Please evaluate the useful messages and mark the correct answers.

ASA 5510 CLI Configuration

Hello

Is it possible to perform all the system configuration and management functions through the CLI at the Terminal?

I think specifically to aspects such as the management of firewall rule configuration of the DHCP Service, VPN configuration, log review. etc etc.

I have already done some configuration of the interface of base if the CLI, but want to know what depth, I can go.

Thanks in advance.

Paul

The main thing that I know will have to be made through ASDM is manage bookmarks SSL VPN client and other pages. All the other stuff you mentioned can be done through CLI. I like to use a hybrid of CLI & ASDM when I managed firewalls. I prefer to see the logs on the ASDM so, real-time log buffer is an excellent tool.

Cisco ASA 5510 multiple dynamic config VPN L2L necessary

Hello

We have a Cisco asa 5510 with static IP address. Also, we have a remote office with a dynamic IP address. We now have a dynamic to static VPN configured L2L. And now, we must add new tunnel to another site with a dynamic IP address. Is this possible? Does anyone have an example of woking, or manual?

Oleg Kobelev

The config only you need in the ASA is: -.

(1) set of crypto processing

(2) political ISAKMP

(3) dynamic Crypto map

(4) default group L2L & PSK

(5) Config RRI (reverse Route Injection)

HTH >

LT2P configuration vpn cisco asa with the internet machine windows/mac issue

Dear all,

I have properly configured configuration vpn L2TP on asa 5510 with 8.0 (4) version of IOS.

My internet does not work when I connect using the vpn. Even if I give power of attorney or dns or I remove the proxy

It does not work. only the resources behind the firewall, I can access. I use the extended access list

I tried also with the standard access list.

Please please suggest what error might be.

Thank you

JV

Split for L2TP over IPSec tunnel tunnel is not configured on the head end (ASA), it must be configured on the client itself, in accordance with the following Microsoft article:

http://TechNet.Microsoft.com/en-us/library/bb878117.aspx

ASA 5510 Anyconnect licenses with Cisco Anyconnect VPN IP phone

Hi, hoping someone can shed some light on what I'm just more confused over trying to get by. Not sure if this goes in the section IP Telehpony or here...

We have an ASA 5510 with the base license. We need to install IP phones to home teleworkers, and I understand there are Cisco IP phones that have built-in VPN clients to enable a tunnel to the central private network. IT seems that you can't use Anyconnect VPN to do this, and I am trying to establish what upgrade licenses, we must apply to the ASA, as both Anyconnect licenses that you get for free on the SAA is not enough.

This is the phone that we seek;

http://www.Cisco.com/en/us/prod/collateral/voicesw/ps6788/phones/ps10499/ps11005/data_sheet_c78-603725.html

I want to know is the Anyconnect Essentials license will work with these IP phones?

When I do a version of the show,

The devices allowed for this platform:

The maximum physical Interfaces: unlimited

VLAN maximum: 50

Internal hosts: unlimited

Failover: disabled

VPN - A: enabled

VPN-3DES-AES: enabled

Security contexts: 0

GTP/GPRS: disabled

SSL VPN peers: 2

The VPN peers total: 250

Sharing license: disabled

AnyConnect for Mobile: disabled

AnyConnect for Linksys phone: disabled

AnyConnect Essentials: disabled

Assessment of Advanced endpoint: disabled

Proxy sessions for the UC phone: 2

Total number of Sessions of Proxy UC: 2

Botnet traffic filter: disabled

This platform includes a basic license.

It shows "AnyConnect for Linksys phone: Disabled", it is the same for the Cisco IP phones? It is the kind of specific license, should I seek for Anyconnect on IP phones or will Essentials?

Hi Leo,

you will need 2 licenses: an Anyconnect Premium license and a permit «Anyconnect of Cisco VPN phone»

ASA 8.2 and earlier license "for Cisco VPN Phone" has been named "for phone Linksys' it's the same.

CFR. http://www.Cisco.com/en/us/docs/security/ASA/asa84/license/license_management/license.html#wp1487574

HTH

Herbert

Cisco ASA 5510 - Cisco Client can connect to the VPN but cannot Ping!

Hello

I have an ASA 5510 with the configuration below. I have configure the ASA as vpn server for remote access with cisco vpn client, now my problem is that I can connect but I can not ping.

Config

ciscoasa # sh run

: Saved

:

ASA Version 8.0 (3)

!

ciscoasa hostname

activate the 5QB4svsHoIHxXpF password / encrypted

names of

xxx.xxx.xxx.xxx SAP_router_IP_on_SAP name

xxx.xxx.xxx.xxx ISA_Server_second_external_IP name

xxx.xxx.xxx.xxx name Mail_Server

xxx.xxx.xxx.xxx IncomingIP name

xxx.xxx.xxx.xxx SAP name

xxx.xxx.xxx.xxx Web server name

xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold name

isa_server_outside name 192.168.2.2

!

interface Ethernet0/0

nameif outside

security-level 0

address IP IncomingIP 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

nameif management

security-level 100

IP 192.168.1.253 255.255.255.0

management only

!

passwd 123

passive FTP mode

clock timezone IS 2

clock summer-time EEDT recurring last Sun Mar 03:00 last Sun Oct 04:00

TCP_8081 tcp service object-group

EQ port 8081 object

DM_INLINE_TCP_1 tcp service object-group

EQ port 3389 object

port-object eq ftp

port-object eq www

EQ object of the https port

EQ smtp port object

EQ Port pop3 object

port-object eq 3200

port-object eq 3300

port-object eq 3600

port-object eq 3299

port-object eq 3390

EQ port 50000 object

port-object eq 3396

port-object eq 3397

port-object eq 3398

port-object eq imap4

EQ port 587 object

port-object eq 993

port-object eq 8000

EQ port 8443 object

port-object eq telnet

port-object eq 3901

purpose of group TCP_8081

EQ port 1433 object

port-object eq 3391

port-object eq 3399

EQ object of port 8080

EQ port 3128 object

port-object eq 3900

port-object eq 3902

port-object eq 7777

port-object eq 3392

port-object eq 3393

port-object eq 3394

Equalizer object port 3395

port-object eq 92

port-object eq 91

port-object eq 3206

port-object eq 8001

EQ port 8181 object

object-port 7778 eq

port-object eq 8180

port-object 22222 eq

port-object eq 11001

port-object eq 11002

port-object eq 1555

port-object eq 2223

port-object eq 2224

object-group service RDP - tcp

EQ port 3389 object

3901 tcp service object-group

3901 description

port-object eq 3901

object-group service tcp 50000

50000 description

EQ port 50000 object

Enable_Transparent_Tunneling_UDP udp service object-group

port-object eq 4500

access-list connection to SAP Note inside_access_in

inside_access_in to access extended list ip 192.168.2.0 allow 255.255.255.0 host SAP_router_IP_on_SAP

access-list inside_access_in note outgoing VPN - PPTP

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any eq pptp

access-list inside_access_in note outgoing VPN - GRE

inside_access_in list extended access allow accord 192.168.2.0 255.255.255.0 any

Comment from inside_access_in-list of access VPN - GRE

inside_access_in list extended access will permit a full

access-list inside_access_in note outgoing VPN - Client IKE

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any isakmp eq

Comment of access outgoing VPN - IPSecNAT - inside_access_in-list T

inside_access_in list extended access permitted udp 192.168.2.0 255.255.255.0 any eq 4500

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access udp allowed any any eq field

Note to inside_access_in of outgoing DNS list access

inside_access_in list extended access permit tcp any any eq field

Note to inside_access_in to access list carried forward Ports

inside_access_in list extended access permitted tcp 192.168.2.0 255.255.255.0 any DM_INLINE_TCP_1 object-group

access extensive list ip 172.16.1.0 inside_access_in allow 255.255.255.0 any

outside_access_in of access allowed any ip an extended list

outside_access_in list extended access permit tcp any any eq pptp

outside_access_in list extended access will permit a full

outside_access_in list extended access allowed grateful if any host Mail_Server

outside_access_in list extended access permit tcp any host Mail_Server eq pptp

outside_access_in list extended access allow esp a whole

outside_access_in ah allowed extended access list a whole

outside_access_in list extended access udp allowed any any eq isakmp

outside_access_in list of permitted udp access all all Enable_Transparent_Tunneling_UDP object-group

list of access allowed standard VPN 192.168.2.0 255.255.255.0

corp_vpn to access extended list ip 192.168.2.0 allow 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

pool POOL 172.16.1.10 - 172.16.1.20 255.255.255.0 IP mask

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 603.bin

don't allow no asdm history

ARP timeout 14400

NAT-control

Global (outside) 2 Mail_Server netmask 255.0.0.0

Global 1 interface (outside)

Global interface (2 inside)

NAT (inside) 0-list of access corp_vpn

NAT (inside) 1 0.0.0.0 0.0.0.0

static (inside, outside) tcp Mail_Server 8001 8001 ISA_Server_second_external_IP netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pptp pptp netmask 255.255.255.255 isa_server_outside

public static tcp (indoor, outdoor) Mail_Server smtp smtp isa_server_outside mask 255.255.255.255 subnet

static (inside, outside) tcp 587 Mail_Server isa_server_outside 587 netmask 255.255.255.255

static (inside, outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255

static (inside, outside) tcp 9443 Mail_Server 9443 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp 3389 3389 netmask 255.255.255.255 isa_server_outside Mail_Server

static (inside, outside) tcp 3390 Mail_Server 3390 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255

static (inside, outside) tcp SAP 50000 50000 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp SAP 3200 3200 netmask 255.255.255.255 isa_server_outside

static (inside, outside) SAP 3299 isa_server_outside 3299 netmask 255.255.255.255 tcp

static (inside, outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255

static (inside, outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255

static (inside, outside) tcp Mail_Server pop3 pop3 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp imap4 Mail_Server imap4 netmask 255.255.255.255 isa_server_outside

static (inside, outside) tcp cms_eservices_projects_sharepointold 9999 9999 netmask 255.255.255.255 isa_server_outside

public static 192.168.2.0 (inside, outside) - corp_vpn access list

Access-group outside_access_in in interface outside

inside_access_in access to the interface inside group

Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout, uauth 0:05:00 absolute

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp - esp-md5-hmac transet

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto-map dynamic dynmap 10 set pfs

Crypto-map dynamic dynmap 10 transform-set ESP-3DES-SHA transet

cryptomap 10 card crypto ipsec-isakmp dynamic dynmap

cryptomap interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

sha hash

Group 2

life 86400

No encryption isakmp nat-traversal

Telnet 192.168.2.0 255.255.255.0 inside

Telnet 192.168.1.0 255.255.255.0 management

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

dhcpd domain.local domain inside interface

!

a basic threat threat detection

host of statistical threat detection

Statistics-list of access threat detection

Management Server TFTP 192.168.1.123.

internal group mypolicy strategy

mypolicy group policy attributes

Split-tunnel-policy tunnelspecified

Split-tunnel-network-list value VPN

Pseudo vpdn password 123

vpdn username attributes

VPN-group-policy mypolicy

type of remote access service

type mypolicy tunnel-group remote access

tunnel-group mypolicy General attributes

address-pool

strategy-group-by default mypolicy

tunnel-group mypolicy ipsec-attributes

pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac

: end

Thank you very much.

Hello

You probably need

Policy-map global_policy

class inspection_default

inspect the icmp

inspect the icmp error

Your Tunnel of Split and NAT0 configurations seem to.

-Jouni

VPN on ASA-5510 with Configure a dynamic encryption card

Similar Questions

Maybe you are looking for