VPN site to site phase2 fail

Hi all, I have two sites in central administration, I have a C2801 as hub and in the remote part, I have a C1861 as it is get the IP through ADSL, after I configured the two rtrs, all stages of phase 1 is complete, the next step, I get the IKMP_ERR_NO_RETRANS error, I read a lot of entries here , but none are like the one I have.

Please check if I missed some in the configuration. Another thing is that in the same C2801 I got a VPN Client and other vpn site-to-site, with a fixed IP address and work perfect.

Side remote network: 192.168.225.0/24 and 192.168.226.0/24

HQ networks: 192.168.0.0

I have attached the configs and debugs.

Fixing of work (for me) configuration + debugs.

Both star are 12.4 (22) T1

Tags: Cisco Security

Similar Questions

  • VPN site to Site, Phase2, ISAKMP problem

    Hi all

    I have a problem to Setup vpn site to site on two Cisco1841 ((C1841-ADVSECURITYK9-M) 12.4 routers (3i)) Version.

    I have seen several discussions with similar problems, but no help, and I couldn't find any problem solved also.

    Please see two attached documents, the first one with samples of itineraries config the remote and and the second with the debug output.

    I rechecked the configs on both routers, and it seems that both are very good.

    The strange is that tunnel comes up all the time, but I have only 50% by the pings of the networks the. Pings from the local and remote peers goes with 100%.

    Please see the errors on the document of debugging.

    Second thing, please pay attention to the subnet mask of the local interface of the local router (255.255.255.224). Maybe it's the root of a problem, it is not in line with the access list that is with wildcard 0.0.0.255?

    I think it's the only thing that I forgot to check today.

    Maybe it's a bug of ios or something?

    I appreciate any help to solve this problem.

    Thank you in advance,

    If your network is 255.255.255.224 255.255.255.224 should be in the ACL to change this in two ACLs of the interesting traffic.

    Check this

    * 6 sep 12:59:15.362: IPSEC (validate_transform_proposal): No IPSEC cryptomap is to address local y.y.y.y (local peer)

    * 6 sep 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal

    * 6 sep 12:59:15.366: ISAKMP:(0:36:SW:1): politics of ITS phase 2 is not acceptable! (local y.y.y.y (local peer) remote control (remote peer) x.x.x.x)

    This isn't a question about the phase I, but with the phase 2. The ACL must be changed

    LOCAL

    access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255

    REMOTE

    access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31

    Change that firs and then disable the SA and try again. I'm not sure why you receive only 50% of responses from the remote site

  • Problem with VPN Site-to-Site between RV215W and ASA5510

    The RV215W is intended to connect a new branch via 3G, but fail.

    But when connected to the internet via a cable modem VPN works.

    I have set up with the FULL domain name and remote ip address.

    Please help me soon as soon as you can.

    Thaks a lot.

    Henriux2412.

    Dear Henry;

    Thank you to the small community of Support Business.

    I doubt that this VPN site-to-site is compatible with the USB modem broadband Mobile 3 G, but I have when even suggest to verify that the Status field of the map will show your mobile card is connected (status > Mobile network). I've seen a similar problem with a Verizon USB modem where the solution was to change a few settings in their access Manager software ("NDIS Mode - connect manually" has been selected and change this option to "Modem Mode - connect manually fixed), but if this is not your case then I suggest you to check with your service provider about supported VPN site to site on the WAN configuration.

    Except that I advise you to contact the Small Business Support Center for more information on this subject, although I don't think they will support

    https://supportforums.Cisco.com/community/NetPro/small-business/sbcountrysupport

    Do not hesitate to contact me if there is anything I can help you with in the meantime.

    Kind regards

    Jeffrey Rodriguez S... : | :. : | :.
    Support Engineer Cisco client

    * Please rate the Post so other will know when an answer has been found.

  • cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    some help me

    (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    Note - I can ping PC but not the same subnet ip on ASA2 L3

    PC---> > ASA1 - ASA2<>

    Hi Matt,

    Let me answer your question in two points:

    • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

    For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

    • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

    We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

  • Site of the error of phase 2 for the VPN site

    Dear all,

    We have a VPN site to site with a partner, we need to access three different hosts on the network of partners. Phase 1 came but there is problem with the guests of the three phase 2 we can only connected with a host of others are not connected, and they all share the same settings.

    Below is show access ip list matching packages shown but connection to host failed

    With the crypto ipsec to see his I saw send error and I don't know what could be responsible.

    Any body who could be wrong please help me to am exhausted.

    access-list

    10 permit ip host 4.2.3.1 4.2.6.22 (647594 matches)
    20 permit ip host 4.2.3.14 4.2.6.64 (47794 matches)
    30 permit ip host 41.2.3.37 41.2.6.76 (581720 matches)

    Crypto ipsec to show his

    local ident (addr, mask, prot, port): (41.2.3.37/255.255.255.255/0/0)
    Remote ident (addr, mask, prot, port): (4.2.6.76/255.255.255.255/0/0)
    current_peer 4.2.6.24 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
     Errors #send 198, #recv errors 0

    local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
    clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
    current outbound SPI: 0x0 (0)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    local ident (addr, mask, prot, port): (4.2.3.14/255.255.255.255/0/0)
    Remote ident (addr, mask, prot, port): (4.2.6.64/255.255.255.255/0/0)
    current_peer 4.2.6.24 port 500
    PERMITS, flags = {origin_is_acl, ipsec_sa_request_sent}
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
        Errors #send 508, #recv errors 0

    local crypto endpt. : 4.2.3.16, remote Start crypto. : 4.2.6.24
    clearly, mtu 1500, path mtu 1500, mtu 1500 ip mtu IDB FastEthernet4 ip
    current outbound SPI: 0x0 (0)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Edit: can you put the configuration on both sides of the tunnel? Otherwise re - check once more the configs on both sides

  • ASA 8.4 (1) source-nat over vpn site-to-site

    I'm setting up a tunnel vpn site-to-site and require nat for the local and remote side. The remote side will be nat to

    10.2.255.128/25 on their face before they reach our network, so I have to only source-nat our servers via the tunnel to them. Should I just do the static NAT, then let the whole subnet through the acl of valuable traffic as the config below? I don't think I should use twice a nat because I'm not trying to make the destination nat on the firewall. Servers with us will 10.2.255.128/25 and I would like to preserve it through the ASA.

    network of the ServerA object

    host 10.1.0.1

    NAT 10.2.255.1 static (inside, outside)

    network of the object server b

    host 10.1.0.2

    NAT 10.2.255.2 static (inside, outside)

    the object server c network

    host 10.1.0.3

    NAT 10.2.255.3 static (inside, outside)

    the LOCAL_SUBNET object-group network

    object-network 10.2.255.0 255.255.255.128

    the REMOTE_SUBNET object-group network

    object-network 10.2.255.128 255.255.255.128

    VPN_ACL list extended access permitted ip object-group LOCAL_SUBNET-group of objects REMOTE_SUBNET

    Thank you

    Your configuration is correct, but I have a few comments.  Remember that NAT occurs before the delivery of your servers will be translated into 10.2.255.2 and 10.2.255.3 and then sent through the tunnel, so your encryption field is correct.

    Is your internet firewall as well? What your servers out of the internet?  They will be translated to 10.2.255.2 and 10.2.255.3 and who will fail in internet routing is.  If these servers access the internet through the firewall, I would recommend a configuration like this for each of your servers:

    network of the ServerA_NAT object

    Home 10.2.255.1

    NAT static ServerA ServerA_NAT destination (indoor, outdoor) static source REMOTE_SUBNET REMOTE_SUBNET

    This will use destination basic NAT for traffic VPN and NAT everything to a public IP address for the internet traffic.  Of course, if this is not your internet connection firewall can do abstraction.

  • To vpn Site to Site of DMZ

    Hello

    I recently install a vpn site-to site between a pix 515 running 6.3 (5) and a juniper netscreen. The tunnel is configured to only allow communications between two hosts, one at each end of the tunnel. Then, the client wanted to be the host behind the pix of their demilitarized zone. We made appropriate changes to the address list ACL nat0 and match, but now it has stopped working.

    When I do a sh crypto ipsec sa, I get decaps and packages, but no program to decrypt and encrypt the packets. Sh isakmp his watch an active tunnel between two end points.

    I don't know where to look for here. Haven't found anything on google.

    Here is the current result of sh crypto ipsec his:

    local ident (addr, mask, prot, port): (192.168.210.50/255.255.255.255/0/0)

    Remote ident (addr, mask, prot, port): (10.1.0.36/255.255.255.255/0/0)

    current_peer: a.b.c.d:500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts 0 digest

    #pkts decaps: 38, #pkts decrypt: 5741, #pkts check 5741

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 5703 errors

    local crypto endpt. : z.y.x.w, remote Start crypto. : a.b.c.d

    Path mtu 1500, overload ipsec 56, media, mtu 1500

    current outbound SPI: 0

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Thank you!

    -Jeff

    You did nat exemption like that right?

    (Dmz) NAT 0 access-list...

  • VPN site to Site one-way traffic

    Hi all

    I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505.  I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through.  Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.

    REMOTE network is 192.168.72.0

    : Saved

    : Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

    !

    ASA Version 8.0 (5)

    !

    host name Casa

    uk domain name

    activate the encrypted password of VgZT0UwPdkSV9l7N

    zlo5ImUVRkHl4lcl encrypted passwd

    names of

    name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance

    name 192.168.3.12 description villages villages

    DNS-guard

    !

    interface Ethernet0/0

    nameif outside

    security-level 0

    IP address x.x.x.123 255.255.255.224

    !

    interface Ethernet0/1

    nameif inside

    security-level 100

    192.168.3.254 IP address 255.255.255.0

    !

    interface Ethernet0/2

    nameif dmz

    security-level 50

    IP 192.168.103.254 255.255.255.0

    !

    interface Ethernet0/3

    Shutdown

    No nameif

    no level of security

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    IP 192.168.1.1 255.255.255.0

    management only

    !

    boot system Disk0: / asa805 - k8.bin

    boot system Disk0: / asa707 - k8.bin

    passive FTP mode

    clock timezone GMT/UTC 0

    summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS server-group DefaultDNS

    uk domain name

    object-group network ExternalAccess

    Description hosts allowed direct web access

    network object-SVR-01 255.255.255.255

    SVR GIS 255.255.255.255 network-object

    host of network-object cient

    host villages network-object

    the ExternalAccessFromDMZ object-group network

    Description hosts allowed direct web access to DMZ

    CITRIX-device 255.255.255.255 network-object

    network-object IRONPORT1 255.255.255.255

    worker of the object-network 255.255.255.255

    MitelUDPinternet udp service object-group

    Description Mitel UDP services on the internet

    20000-27000 object-port Beach

    port-object eq sip

    port-object eq 5064

    MitelTCPinternet tcp service object-group

    Description Mitel TCP services on the internet

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 3998

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    port-object eq 6800

    EQ object Port 3478

    port-object eq sip

    EQ port ssh object

    MitelTCPinternetOpt tcp service object-group

    Description Mitel TCP optional services on the internet

    port-object eq 3300

    6806-6807 object-port Beach

    36005 36005 object-port Beach

    36005 36006 object-port Beach

    EQ object Port 3478

    port-object eq sip

    MitelUDP2LAN udp service object-group

    Description Mitel UDP for the local network of services

    object-port range 1024-65535

    port-object eq sip

    MitelTCP2LAN tcp service object-group

    Description Mitel TCP for the local network of services

    port-object eq 2114

    port-object eq 2116

    port-object eq 35000

    port-object eq 37000

    port-object eq 1606

    object-port 4443 eq

    port-object eq 3998

    port-object eq 3999

    6801-6802 object-port Beach

    port-object eq 6880

    port-object eq www

    EQ object of the https port

    EQ object Port 3478

    port-object eq sip

    acl_outside list extended access permit icmp any any echo response

    acl_outside list extended access allow all unreachable icmp

    acl_outside list extended access permit icmp any any source-quench

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https

    acl_outside list extended access permit tcp any host x.x.x.123 eq ssh

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https

    acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp

    acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group

    acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group

    acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group

    acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

    acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp

    acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp

    inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224

    inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0

    inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything

    acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH

    acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host

    acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field

    acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

    acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field

    acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH

    access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any

    acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive

    acl_dmz list extended access permit ip any host CITRIXCSG-lan idle

    acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp

    acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN

    acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN

    dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all

    access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0

    dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access

    access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything

    access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

    access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all

    access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

    allow any scope to an entire ip access list

    inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all

    dmz_pnat1_outbound list of ip telecommuter host allowed extended access any

    outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    logging e-mail notifications

    uk address record

    exploitation forest-address recipient [email protected] / * / critical level

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    management of MTU 1500

    IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ICMP allow any inside

    ICMP allow no dmz echo

    ICMP allow all dmz

    ASDM image disk0: / asdm-625 - 53.bin

    ASDM location SVR-01 255.255.255.255 inside

    ASDM location svr-02 255.255.255.255 inside

    ASDM location IRONPORT1 255.255.255.255 dmz

    ASDM location 194.81.55.226 255.255.255.255 dmz

    ASDM 255.255.255.255 inside server location

    ASDM location CITRIX-device 255.255.255.255 dmz

    ASDM group ExternalAccess inside

    ASDM group dmz ExternalAccessFromDMZ

    don't allow no asdm history

    ARP timeout 14400

    Global x.x.x.121 2 (outdoor)

    Global 1 x.x.x.125 (outside)

    Global Mail_Outside_AVON 3 (outside)

    Global Mail_Outside_AGH 4 (outside)

    Global teleworker_outside 5 (outside)

    NAT (inside) 0-list of access inside_outbound_nat0_acl

    NAT (inside) 2-list of access inside_pnat_outbound_AVON

    NAT (inside) 3 access-list inside_nat_AVON_Marshall

    NAT (inside) 1 access-list inside_pnat_outbound

    NAT (dmz) 0-list of access dmz_nat0_inbound outside

    NAT (dmz) 4 access-list dmz_pnat_outbound

    NAT (dmz) 5 access-list dmz_pnat1_outbound

    static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside

    static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255

    static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH

    static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255

    static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON

    static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside

    static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255

    static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

    static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker

    Access-group acl_outside in interface outside

    Access-group acl_dmz in dmz interface

    Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    Enable http server

    oner http 255.255.255.255 inside

    http 192.168.1.0 255.255.255.0 management

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

    card crypto outside_map 1 match address outside_1_cryptomap

    card crypto outside_map 1 set pfs Group1

    card crypto outside_map 1 set r.r.r.244 counterpart

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    Telnet timeout 5

    SSH x.x.x.x 255.255.255.255 outside

    SSH Mail_Inside_AGH 255.255.255.255 inside

    SSH timeout 5

    Console timeout 0

    management of 192.168.1.2 - dhcpd address 192.168.1.254

    enable dhcpd management

    !

    a basic threat threat detection

    statistical threat detection port

    Statistical threat detection Protocol

    Statistics-list of access threat detection

    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

    prefer NTP server SVR - DC1 source inside

    internal VPN group policy

    attributes of VPN group policy

    value 192.168.x.x 192.168.x.x WINS server

    Server DNS value 192.168.x.x 192.168.x.x

    enable IPSec-udp

    value by default domain-ACE

    username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0

    attributes of VPN username

    Strategy-Group-VPN VPN

    VPN Tunnel-group type remote access

    General-attributes of VPN Tunnel-group

    address vpnpool pool

    Group Policy - by default-VPN

    Group-tunnel VPN ipsec-attributes

    pre-shared key *.

    tunnel-group r.r.r.244 type ipsec-l2l

    r.r.r.244 tunnel ipsec-attributes group

    pre-shared key *.

    by default-group r.r.r.244 tunnel-Group-map

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns migrated_dns_map_1

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the migrated_dns_map_1 dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the netbios

    inspect the tftp

    inspect the sip

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:8360816431357f109b3c4b950d545c86

    : end

    This route is duplicated with the remote network

    Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

    I suggest to make this more specific subnet or add something like

    Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

    Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788

    Kind regards

  • ASA, VPN Site-to-Site

    Hello

    I would like to VPN site-to-site using ASA 5520 and I have some question if you don't mind:

    Site A:

    Peer IP address: aaa.aaa.aaa.aaa/32

    Local network: bbb.bbb.bbb.bbb/32

    Site b:

    Peer IP address: xxx.xxx.xxx.xxx/32

    Local network: yyy.yyy.yyy.yyy/32

    on the site to site vpn Wizard (site B), the network of peers should be site A and the LAN must be site B and remote network must be the site one right?

    the IP address of the local network should be not be used right by other devices on the right? I can use use a unique IP address instead of the beach of network on the LAN and remotely? from the client on site give me a unique IP address?

    can I allow on site A browse only a single IP address on my site B and allowing only ports 80 and 443, please can you give me example I prefer ASDM.

    Thank you and waiting for your help.

    Hello

    I can only really give an example of this using the CLI (or I rather do as I do not use ASDM almost at all)

    You have all already existing L2L / Site to Site VPN connections on the SAA?

    Could you share your current configuration (delete all sensitive information) so we can take into account all existing configurations you have

    Did you agree on what will be the settings phase 1 VPN L2L and Phase2 with the other sites technical contact who will set up their side of the L2L VPN?

    -Jouni

  • VPN site to Site btw Pix535 and 2811 router, can't get to work

    Hi, everyone, I spent a few days doing a VPN site-to site between PIX535 and 2811 router but returned empty-handed, I followed the instructions here:

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    #1: config PIX:

    : Saved

    : Written by enable_15 to the 18:05:33.678 EDT Saturday, October 20, 2012

    !

    8.0 (4) version PIX

    !

    hostname pix535

    !

    interface GigabitEthernet0

    Description to cable-modem

    nameif outside

    security-level 0

    address IP X.X.138.132 255.255.255.0

    OSPF cost 10

    !

    interface GigabitEthernet1

    Description inside 10/16

    nameif inside

    security-level 100

    IP 10.1.1.254 255.255.0.0

    OSPF cost 10

    !

    outside_access_in of access allowed any ip an extended list

    access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.0.0 10.20.0.0 255.255.0.0

    inside_nat0_outbound list of allowed ip extended access all 10.1.1.192 255.255.255.248

    outside_cryptomap_dyn_60 list of allowed ip extended access all 10.1.1.192 255.255.255.248

    access extensive list ip 10.1.0.0 outside_1_cryptomap allow 255.255.0.0 10.20.0.0 255.255.0.0

    pager lines 24

    cnf-8-ip 10.1.1.192 mask - 10.1.1.199 IP local pool 255.255.0.0

    Global interface 10 (external)

    15 1.2.4.5 (outside) global

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 15 10.1.0.0 255.255.0.0

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 X.X.138.1 1

    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-MD5

    life together - the association of security crypto dynamic-map outside_dyn_map 20 28800 seconds

    Crypto-map dynamic outside_dyn_map 20 kilobytes of life together - the association of safety 4608000

    Crypto-map dynamic outside_dyn_map 40 value transform-set ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA

    life together - the association of security crypto dynamic-map outside_dyn_map 40 28800 seconds

    Crypto-map dynamic outside_dyn_map 40 kilobytes of life together - the association of safety 4608000

    Dynamic crypto map outside_dyn_map 60 match address outside_cryptomap_dyn_60

    Crypto-map dynamic outside_dyn_map 60 value transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA

    life together - the association of security crypto dynamic-map outside_dyn_map 60 28800 seconds

    Crypto-map dynamic outside_dyn_map 60 kilobytes of life together - the association of safety 4608000

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-SHA-3DES ESP-MD5-3DES ESP-DES-SHA ESP-DES-MD5

    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

    cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

    card crypto outside_map 1 match address outside_1_cryptomap

    outside_map game 1 card crypto peer X.X.21.29

    card crypto outside_map 1 set of transformation-ESP-DES-SHA

    outside_map map 1 lifetime of security association set seconds 28800 crypto

    card crypto outside_map 1 set security-association life kilobytes 4608000

    outside_map card crypto 65534 isakmp ipsec dynamic SYSTEM_DEFAULT_CRYPTO_MAP

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    ISAKMP crypto identity hostname

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    the Encryption

    sha hash

    Group 1

    life 86400

    crypto ISAKMP policy 20

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Crypto isakmp nat-traversal 3600

    internal GroupPolicy1 group strategy

    cnf-vpn-cls group policy internal

    attributes of cnf-vpn-cls-group policy

    value of 10.1.1.7 WINS server

    value of 10.1.1.7 DNS server 10.1.1.205

    Protocol-tunnel-VPN IPSec l2tp ipsec

    field default value x.com

    sean U/h5bFVjXlIDx8BtqPFrQw password user name is nt encrypted

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key secret1

    RADIUS-sdi-xauth

    tunnel-group DefaultRAGroup ppp-attributes

    ms-chap-v2 authentication

    tunnel-group cnf-vpn-cls type remote access

    tunnel-group global cnf-vpn-cls-attributes

    cnf-8-ip address pool

    Group Policy - by default-cnf-vpn-cls

    tunnel-group cnf-CC-vpn-ipsec-attributes

    pre-shared-key secret2

    ISAKMP ikev1-user authentication no

    tunnel-group cnf-vpn-cls ppp-attributes

    ms-chap-v2 authentication

    tunnel-group X.X.21.29 type ipsec-l2l

    IPSec-attributes tunnel-Group X.X.21.29

    Pre-shared key SECRET

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c

    : end

    #2: 2811 router config:

    !

    ! Last configuration change to 09:15:32 PST Friday, October 19, 2012 by cnfla

    ! NVRAM config update at 13:45:03 PST Tuesday, October 16, 2012

    !

    version 12.4

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    hostname THE-2800

    !

    !

    Crypto pki trustpoint TP-self-signed-1411740556

    enrollment selfsigned

    name of the object cn = IOS - Self - signed - certificate - 1411740556

    revocation checking no

    rsakeypair TP-self-signed-1411740556

    !

    !

    TP-self-signed-1411740556 crypto pki certificate chain

    certificate self-signed 01

    308201A 8 A0030201 02020101 3082023F 300 D 0609 2A 864886 F70D0101 04050030

    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

    69666963 31343131 37343035 6174652D 3536301E 170 3132 31303136 32303435

    30335A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

    4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 34313137 65642D

    34303535 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

    8100F75F F1BDAD9B DE9381FD 7EAF9685 CF15A317 165B 5188 1 B 424825 9C66AA28

    C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 C4BCF9E0 84373199

    E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019

    A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33

    010001A 3 67306530 1 130101 FF040530 030101FF 30120603 0F060355 35AF0203

    1104 B 0 300982 074C412D 32383030 551D 551 2304 18301680 14B56EEB 301F0603

    88054CCA BB8CF8E8 F44BFE2C B77954E1 52301 D 06 04160414 B56EEB88 03551D0E

    054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300 D 0609 2A 864886 F70D0101 04050003

    81810056 58755 56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D 20452

    E7F40F42 8B 355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D

    310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC

    659 4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322 C

    quit smoking

    !

    !

    !

    crypto ISAKMP policy 1

    preshared authentication

    ISAKMP crypto key address SECRET X.X.138.132 No.-xauth

    !

    !

    Crypto ipsec transform-set the-2800-trans-set esp - esp-sha-hmac

    !

    map 1 la-2800-ipsec policy ipsec-isakmp crypto

    ipsec vpn Description policy

    defined by peer X.X.138.132

    the transform-set the-2800-trans-set value

    match address 101

    !

    !

    !

    !

    !

    !

    interface FastEthernet0/0

    Description WAN side

    address IP X.X.216.29 255.255.255.248

    NAT outside IP

    IP virtual-reassembly

    automatic duplex

    automatic speed

    No cdp enable

    No mop enabled

    card crypto 2800-ipsec-policy

    !

    interface FastEthernet0/1

    Description side LAN

    IP 10.20.1.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    full duplex

    automatic speed

    No mop enabled

    !

    IP nat inside source map route sheep interface FastEthernet0/0 overload

    access-list 10 permit X.X.138.132

    access-list 99 allow 64.236.96.53

    access-list 99 allow 98.82.1.202

    access list 101 remark vpn tunnerl acl

    Note access-list 101 category SDM_ACL = 4

    policy of access list 101 remark tunnel

    access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

    access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255

    access-list 110 permit ip 10.20.0.0 0.0.0.255 any

    public RO SNMP-server community

    !

    !

    !

    sheep allowed 10 route map

    corresponds to the IP 110

    !

    !

    !

    !

    WebVPN gateway gateway_1

    IP address X.X.216.29 port 443

    SSL trustpoint TP-self-signed-1411740556

    development

    !

    WebVPN install svc flash:/webvpn/svc.pkg

    !

    WebVPN gateway-1 context

    title 'b '.

    secondary-color white

    color of the title #CCCC66

    text-color black

    SSL authentication check all

    !

    !

    policy_1 political group

    functions compatible svc

    SVC-pool of addresses "WebVPN-Pool."

    SVC Dungeon-client-installed

    SVC split include 10.20.0.0 255.255.0.0

    Group Policy - by default-policy_1

    Gateway gateway_1

    development

    !

    !

    end

    #3: test Pix to the router:


    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: X.X.21.29

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2

    > DEBUG:

    12:07:14 pix535:Oct 22 Oct 22 12:20:28 EDT: % PIX-vpn-3-713902: IP = X.X.21.29, Removing peer to peer table has not, no match
    !
    22 Oct 12:07:14 pix535: 22 Oct 12:20:28 EDT: % PIX-vpn-4-713903: IP = X.X.21.29, error: cannot delete PeerTblEntry
    #4: test the router to pix:
    LA - 2800 #sh crypto isakmp his
    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 ASSETS 0
    > debug
    LA - 2800 #ping 10.1.1.7 source 10.20.1.1
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.1.1.7, time-out is 2 seconds:
    Packet sent with a source address of 10.20.1.1
    Oct 22 16:24:33.945: ISAKMP: (0): profile of THE request is (NULL)
    22 Oct 16:24:33.945: ISAKMP: created a struct peer X.X.138.132, peer port 500
    22 Oct 16:24:33.945: ISAKMP: new created position = 0x488B25C8 peer_handle = 0 x 80000013
    22 Oct 16:24:33.945: ISAKMP: lock struct 0x488B25C8, refcount 1 to peer isakmp_initiator
    22 Oct 16:24:33.945: ISAKMP: 500 local port, remote port 500
    22 Oct 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE
    22 Oct 16:24:33.945: ISAKMP: find a dup her to the tree during the isadb_insert his 487720 A 0 = call BVA
    22 Oct 16:24:33.945: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    22 Oct 16:24:33.945: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132
    Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    Oct 22 16:24:33.945: ISAKMP: (0): built the seller-07 ID NAT - t
    Oct 22 16:24:33.945: ISAKMP: (0): built of NAT - T of the seller-03 ID
    Oct 22 16:24:33.945: ISAKMP: (0): built the seller-02 ID NAT - t
    22 Oct 16:24:33.945: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    22 Oct 16:24:33.945: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
    Oct 22 16:24:33.945: ISAKMP: (0): Beginner Main Mode Exchange
    Oct 22 16:24:33.945: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_NO_STATE
    22 Oct 16:24:33.945: ISAKMP: (0): sending a packet IPv4 IKE.
    22 Oct 16:24:34.049: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_NO_STATE X.X.138.132
    22 Oct 16:24:34.049: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    22 Oct 16:24:34.049: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
    Oct 22 16:24:34.049: ISAKMP: (0): treatment ITS payload. Message ID = 0
    Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment
    Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    Oct 22 16:24:34.049: ISAKMP: (0): provider ID is NAT - T v2
    Oct 22 16:24:34.049: ISAKMP: (0): load useful vendor id of treatment
    Oct 22 16:24:34.049: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
    22 Oct 16:24:34.053: ISAKMP: (0): pair found pre-shared key matching 70.169.138.132
    Oct 22 16:24:34.053: ISAKMP: (0): pre-shared key local found
    22 Oct 16:24:34.053: ISAKMP: analysis of the profiles for xauth...
    22 Oct 16:24:34.053: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    22 Oct 16:24:34.053: ISAKMP: DES-CBC encryption
    22 Oct 16:24:34.053: ISAKMP: SHA hash
    22 Oct 16:24:34.053: ISAKMP: default group 1
    22 Oct 16:24:34.053: ISAKMP: pre-shared key auth
    22 Oct 16:24:34.053: ISAKMP: type of life in seconds
    22 Oct 16:24:34.053: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
    22 Oct 16:24:34.053: ISAKMP: (0): atts are acceptable
    . Next payload is 0
    22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts: real life: 0
    22 Oct 16:24:34.053: ISAKMP: (0): Acceptable atts:life: 0
    22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his vpi_length:4
    22 Oct 16:24:34.053: ISAKMP: (0): fill atts in his life_in_seconds:86400
    22 Oct 16:24:34.053: ISAKMP: (0): return real life: 86400
    22 Oct 16:24:34.053: ISAKMP: (0): timer life Started: 86400.
    Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment
    Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
    Oct 22 16:24:34.053: ISAKMP: (0): provider ID is NAT - T v2
    Oct 22 16:24:34.053: ISAKMP: (0): load useful vendor id of treatment
    Oct 22 16:24:34.053: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
    22 Oct 16:24:34.053: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    22 Oct 16:24:34.053: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
    Oct 22 16:24:34.057: ISAKMP: (0): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_SA_SETUP
    22 Oct 16:24:34.057: ISAKMP: (0): sending a packet IPv4 IKE.
    22 Oct 16:24:34.057: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    22 Oct 16:24:34.057: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
    22 Oct 16:24:34.181: ISAKMP (0:0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP X.X.138.132
    22 Oct 16:24:34.181: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    22 Oct 16:24:34.181: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
    Oct 22 16:24:34.181: ISAKMP: (0): processing KE payload. Message ID = 0
    Oct 22 16:24:34.217: ISAKMP: (0): processing NONCE payload. Message ID = 0
    22 Oct 16:24:34.217: ISAKMP: (0): pre-shared key found peer corresponding to X.X.138.132
    Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
    Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is the unit
    Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
    Oct 22 16:24:34.217: ISAKMP: (1018): provider ID seems the unit/DPD but major incompatibility of 55
    Oct 22 16:24:34.217: ISAKMP: (1018): provider ID is XAUTH
    Oct 22 16:24:34.217: ISAKMP: (1018): load useful vendor id of treatment
    Oct 22 16:24:34.217: ISAKMP: (1018): addressing another box of IOS
    !
    Oct 22 16:24:34.221: ISAKMP: (1018): load useful vendor id of treatment
    22 Oct 16:24:34.221: ISAKMP: (1018): vendor ID seems the unit/DPD but hash mismatch
    22 Oct 16:24:34.221: ISAKMP: receives the payload type 20
    22 Oct 16:24:34.221: ISAKMP: receives the payload type 20
    22 Oct 16:24:34.221: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    22 Oct 16:24:34.221: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM4
    22 Oct 16:24:34.221: ISAKMP: (1018): send initial contact
    22 Oct 16:24:34.221: ISAKMP: (1018): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    22 Oct 16:24:34.221: ISAKMP (0:1018): payload ID
    next payload: 8
    type: 1
    address: X.X.216.29
    Protocol: 17
    Port: 500
    Length: 12
    22 Oct 16:24:34.221: ISAKMP: (1018): the total payload length: 12
    Oct 22 16:24:34.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
    22 Oct 16:24:34.221: ISAKMP: (1018): sending a packet IPv4 IKE.
    22 Oct 16:24:34.225: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    22 Oct 16:24:34.225: ISAKMP: (1018): former State = new State IKE_I_MM4 = IKE_I_MM5
    ...
    22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 198554740
    22 Oct 16:24:38.849: ISAKMP: (1017): purge the node 812380002
    22 Oct 16:24:38.849: ISAKMP: (1017): purge node 773209335...
    Success rate is 0% (0/5)
    # THE-2800
    Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
    22 Oct 16:24:44.221: ISAKMP (0:1018): increment the count of errors on his, try 1 5: retransmit the phase 1
    Oct 22 16:24:44.221: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
    Oct 22 16:24:44.221: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
    22 Oct 16:24:44.221: ISAKMP: (1018): sending a packet IPv4 IKE.
    22 Oct 16:24:44.317: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
    Oct 22 16:24:44.317: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
    Oct 22 16:24:44.321: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission 96)
    22 Oct 16:24:48.849: ISAKMP: (1017): serving SA., his is 469BAD60, delme is 469BAD60
    22 Oct 16:24:52.313: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
    Oct 22 16:24:52.313: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
    Oct 22 16:24:52.313: ISAKMP: (1018): retransmission due to phase 1 of retransmission
    Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
    22 Oct 16:24:52.813: ISAKMP (0:1018): increment the count of errors on his, try 2 of 5: retransmit the phase 1
    Oct 22 16:24:52.813: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
    Oct 22 16:24:52.813: ISAKMP: (1018): package X.X138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
    22 Oct 16:24:52.813: ISAKMP: (1018): sending a packet IPv4 IKE.
    Oct 22 16:24:52.913: ISAKMP: (1018): package of phase 1 is a duplicate of a previous package.
    Oct 22 16:24:52.913: ISAKMP: (1018): retransmission jumped to the stage 1 (time elapsed since the last transmission of 100)
    22 Oct 16:25:00.905: ISAKMP (0:1018): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH X.X.138.132
    22 Oct 16:25:00.905: ISAKMP: node set 422447177 to QM_IDLE
    ....
    22 Oct 16:25:03.941: ISAKMP: (1018): SA is still budding. New application of ipsec in the annex
    . (local 1 X. X.216.29, remote X.X.138.132)
    22 Oct 16:25:03.941: ISAKMP: error during the processing of HIS application: failed to initialize SA
    22 Oct 16:25:03.941: ISAKMP: error while processing message KMI 0, error 2.
    Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
    22 Oct 16:25:12.814: ISAKMP (0:1018): increment the count of errors on his, try 4 out 5: retransmit the phase 1
    Oct 22 16:25:12.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
    Oct 22 16:25:12.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
    22 Oct 16:25:12.814: ISAKMP: (1018): sending a packet IPv4 IKE.
    Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
    22 Oct 16:25:22.814: ISAKMP (0:1018): increment the count of errors on his, try 5 of 5: retransmit the phase 1
    Oct 22 16:25:22.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH
    Oct 22 16:25:22.814: ISAKMP: (1018): package X.X.138.132 my_port 500 peer_port 500 (I) sending MM_KEY_EXCH
    22 Oct 16:25:22.814: ISAKMP: (1018): sending a packet IPv4 IKE.
    Oct 22 16:25:32.814: ISAKMP: (1018): transmit phase 1 MM_KEY_EXCH...
    22 Oct 16:25:32.814: ISAKMP: (1018): peer does not paranoid KeepAlive.
    ......

    22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

    22 Oct 16:25:32.814: ISAKMP: (1018): removal of reason ITS status of 'Death by retransmission P1' (I) MM_KEY_EXCH (post 70.169.138.132)

    22 Oct 16:25:32.814: ISAKMP: Unlocking counterpart struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0

    22 Oct 16:25:32.814: ISAKMP: delete peer node by peer_reap for X.X.138.132: 488B25C8

    22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 1112432180 FALSE reason 'IKE deleted.

    22 Oct 16:25:32.814: ISAKMP: (1018): error suppression node 422447177 FALSE reason 'IKE deleted.

    22 Oct 16:25:32.814: ISAKMP: (1018): node-278980615 error suppression FALSE reason 'IKE deleted.

    22 Oct 16:25:32.814: ISAKMP: (1018): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

    22 Oct 16:25:32.814: ISAKMP: (1018): former State = new State IKE_I_MM5 = IKE_DEST_SA

    22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 1112432180

    22 Oct 16:26:22.816: ISAKMP: (1018): purge the node 422447177

    22 Oct 16:26:22.816: ISAKMP: (1018): purge the node-278980615

    22 Oct 16:26:32.816: ISAKMP: (1018): serving SA., its A 487720, 0 =, delme = A 487720, 0

    The PIX is also used VPN client, such as the VPN Cicso 5.0 client access, works very well. Router is used as a server SSL VPN, too much work

    I know there are a lot of data here, I hope that these data may be useful for diagnostic purposes.

    All suggestions and tips are greatly appreciated.

    Sean

    Recommended action:

    On the PIX:

    no card crypto outside_map 1

    !

    crypto ISAKMP policy 5

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    !

    card crypto outside_map 10 correspondence address outside_1_cryptomap

    crypto outside_map 10 peer X.X.216.29 card game

    outside_map crypto 10 card value transform-set ESP-3DES-SHA

    life safety association set card crypto outside_map 10 28800 seconds

    card crypto outside_map 10 set security-association life kilobytes 4608000

    !

    tunnel-group X.X.216.29 type ipsec-l2l

    IPSec-attributes tunnel-Group X.X.216.29

    Pre-shared key SECRET

    !

    On the router:

    crypto ISAKMP policy 10

    preshared authentication

    Group 2

    3des encryption

    !

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    output

    !

    card 10 la-2800-ipsec policy ipsec-isakmp crypto

    ipsec vpn Description policy

    defined by peer X.X.138.132

    game of transformation-ESP-3DES-SHA

    match address 101

    !

    No crypto card-2800-ipsec-policy 1

    Let me know how it goes.

    Portu.

    Please note all useful posts

    Post edited by: Javier Portuguez

  • Router vpn site to site PIX and vpn client

    I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

    ISAKMP crypto RTR #show its
    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
    current_peer 66.x.x.x port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
    #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 40, #recv errors 0

    local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
    Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
    current outbound SPI: 0xC4BAC5E (206285918)

    SAS of the esp on arrival:
    SPI: 0xD7848FB (225986811)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4573083/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xC4BAC5E (206285918)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4572001/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Expand the IP NAT access list
    10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
    20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
    Expand the IP VPN_ACCESS access list
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

    I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

    is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

    If it's just ping, then activate pls what follows on the PIX:

    If it is version 6.3 and below: fixup protocol icmp

    If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

    Config complete hand and on the other could help determine if it's a configuration problem or another problem.

  • Have a vpn site to site of work, added second who has problems

    We've had a success vpn site to site working for several months now. It's a 5510 ASA to Headquarters for an ASA 5505 in a branch in another State. We add a second vpn site to site in another State this time of the AC to a Sonicwall TZ100. After connecting the Sonicwall to the Qwest modem in bridge mode tunnel came right up. I was unable to ping all off the coast of the private IPs to the HQ of the new branch, but was able to use the remote desktop in servers and workstations at Headquarters. Also, all computers appear when you browse the network of the new branch.

    The first part, we are able to ping both directions and use remote desktop in both directions.

    When using tracers of package in ASDM on the ASA HQ and rattling one of the IPs in HQ protected network to an IP address in the new network of agencies EXEMPT from NAT looks good, but when it hits the first NAT it fits on the "dynamic translation to the pool (10.1.255.254) 10 [Interface PAT]" (which is the default route to all VLAN access to Internet).

    Next NAT (subtype - host-limits) is more beautiful and this one goes to the IP address of the external interface of the ASA 5510 HQ, but then the third NAT (subtype - rpf-check) returns to the ' 10 (10.1.255.254) Interface PAT] "and the package is ABANDONED. Also there is no step VPN in Packet Tracer after NAT.

    So obviously the HQ ASA 5510 does not consider this to be interesting traffic but I don't know why.

    Here is the output of sh crypto ipsec his ffrom HQ ASA:

    Interface: outside
    Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

    access-list encrypt_acl-30 permit ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    local ident (addr, mask, prot, port): (10.1.1.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
    current_peer: 65.102.14.72

    #pkts program: 229450, #pkts encrypt: 229450, #pkts digest: 229450
    #pkts decaps: 172516, #pkts decrypt: 172516, #pkts check: 172516
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 229450, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: 91860025

    SAS of the esp on arrival:
    SPI: 0x88957B9C (2291497884)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 59068
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0xFFFFFFFF to 0xFFFFFFFF
    outgoing esp sas:
    SPI: 0 x 91860025 (2441478181)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 59068
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Tag crypto map: outside_map, seq num: 30 local addr: 209.X.X.X

    access-list encrypt_acl-30 permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
    local ident (addr, mask, prot, port): (10.1.10.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (10.1.8.0/255.255.255.0/0/0)
    current_peer: 65.102.x.x

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
    success #frag before: 0, failures before #frag: 0, #fragments created: 0
    Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 209.X.X.X, remote Start crypto. : 65.102.X.X

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: A204BAE2

    SAS of the esp on arrival:
    SPI: 0xDA8C653A (3666634042)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 84670
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001
    outgoing esp sas:
    SPI: 0xA204BAE2 (2718218978)
    transform: esp-3des esp-md5-hmac no compression
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 2600960, crypto-card: outside_map
    calendar of his: service life remaining key (s): 84621
    Size IV: 8 bytes
    support for replay detection: Y
    Anti-replay bitmap:
    0x00000000 0x00000001

    Here is the output of sh crypto isakmp his on HQ ASA:

    3 peer IKE: 65.102.x.x

    Type: L2L role: answering machine

    Generate a new key: no State: MM_ACTIVE

    Here is the config:

    ASA Version 8.0 (4)
    !
    hostname COMPASA
    domain COMPfirm.com
    activate the encrypted password of TMACBloMlcBsq1kp
    TMACBloMlcBsq1kp encrypted passwd
    names of
    DNS-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    IP 209.X.X.X 255.255.255.224
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    IP 10.1.255.254 255.255.255.248
    !
    interface Ethernet0/2
    nameif dmz
    security-level 50
    10.2.2.1 IP address 255.255.255.0
    !
    interface Ethernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    management only
    !
    boot system Disk0: / asa804 - k8.bin
    passive FTP mode
    clock timezone MDT - 7
    clock to summer time recurring MDT
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    Name-Server 4.2.2.1
    domain COMPfirm.com
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    list of allowed inbound tcp extended access any host 209.X.X.X eq www
    list of allowed inbound tcp extended access any host 209.X.X.X eq https
    list of allowed inbound tcp extended access any host 209.X.X.X eq ftp
    list of allowed inbound tcp extended access any host 209.X.X.X eq ftp - data
    list of allowed inbound tcp extended access any host 209.X.X.X eq ssh
    list of allowed inbound tcp extended access any host 209.X.X.X eq imap4
    list of allowed inbound tcp extended access any host 209.X.X.X eq pop3
    list of allowed inbound tcp extended access any host 209.X.X.X eq www
    list of allowed inbound tcp extended access any host 209.X.X.X eq https
    list of allowed inbound tcp extended access any host 209.X.X.X eq smtp
    list of extended inbound icmp permitted access a whole
    access list entering note MMS-1755
    list incoming extended access permit tcp any eq 1755 host inactive 209.X.X.X
    inbound access list notice MMS - UDP
    list of inbound udp allowed extended access all eq 1755 host inactive 209.X.X.X
    DMZ list extended access permit tcp host 10.2.2.2 10.1.1.11 host eq smtp
    DMZ list extended access permit tcp host 10.2.2.2 host 10.1.1.50 eq 8777
    access-list extended sheep allowed ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
    access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.0.0.0 255.255.255.0
    access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list sheep extended ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
    access-list extended sheep allowed ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    access extensive list ip 10.1.0.0 vpnsplit allow 255.255.0.0 172.16.22.0 255.255.255.0
    access extensive list ip 10.1.10.0 encrypt_acl allow 255.255.255.0 10.0.0.0 255.255.255.0
    permit encrypt_acl to access extended list ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
    global_mpc list extended access permitted tcp a whole
    access-list encrypt_acl-30 scope ip 10.1.10.0 allow 255.255.255.0 10.1.8.0 255.255.255.0
    access-list encrypt_acl-30 permit extended ip 10.1.1.0 255.255.255.0 10.1.8.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Outside 1500 MTU
    Within 1500 MTU
    MTU 1500 dmz
    management of MTU 1500
    IP local pool vpnpool 172.16.22.1 - 172.16.22.254 mask 255.255.255.0
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ASDM image disk0: / asdm - 61551.bin
    don't allow no asdm history
    ARP timeout 14400
    Global (outside) 10 209.X.X.X netmask 255.255.255.0
    Global interface (10 Interior)
    Global interface (dmz) 10
    NAT (inside) 0 access-list sheep
    NAT (inside) 10 0.0.0.0 0.0.0.0
    NAT (dmz) 10 0.0.0.0 0.0.0.0
    static (dmz, external) 209.X.X.X 10.2.2.2 netmask 255.255.255.255
    static (inside, outside) 209.X.X.X 10.1.1.11 netmask 255.255.255.255
    static (dmz, inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
    static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
    static (inside, dmz) 10.1.1.50 10.1.1.50 netmask 255.255.255.255
    Access-group interface incoming outside
    Access-group in interface dmz dmz
    Route outside 0.0.0.0 0.0.0.0 209.X.X.X 1
    Route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    Ray of AAA-server vpn Protocol
    AAA-server vpn (inside) host 10.1.1.12
    key--> ZZZZZZ
    the ssh LOCAL console AAA authentication
    AAA authentication LOCAL telnet console
    local AAA authentication attempts 16 max in case of failure
    Enable http server
    http 172.16.22.0 255.255.255.0 inside
    http 10.1.0.0 255.255.0.0 inside
    No snmp server location
    No snmp Server contact
    Sysopt noproxyarp inside
    Sysopt noproxyarp dmz
    Sysopt noproxyarp management
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set esp-3des esp-md5-hmac HQset
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic outside_dyn_map 10 the transform-set ESP-3DES-MD5 value
    life together - the association of security crypto dynamic-map outside_dyn_map 10 28800 seconds
    Crypto-map dynamic outside_dyn_map 10 kilobytes of life together - the association of safety 4608000
    Crypto-map dynamic outside_dyn_map 10 the value reverse-road
    card crypto outside_map 20 match address encrypt_acl
    card crypto outside_map 20 game peers 67.42.X.X
    outside_map 20 game of transformation-HQset crypto card
    life safety association set card crypto outside_map 20 28800 seconds
    card crypto outside_map 20 set security-association life kilobytes 4608000
    card crypto 30 match address encrypt_acl-30 outside_map
    crypto outside_map 30 peer 65.102.X.X card game
    crypto outside_map 30 card value transform-set HQset
    86400 seconds, duration of life card crypto outside_map 30 set - the security association
    card crypto outside_map 30 set security-association life kilobytes 4608000
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400
    Crypto isakmp nat-traversal 50
    Telnet 10.1.0.0 255.255.0.0 inside
    Telnet timeout 15
    SSH 0.0.0.0 0.0.0.0 outdoors
    SSH 10.1.0.0 255.255.0.0 inside
    SSH timeout 30
    Console timeout 0
    management-access inside
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    threat scan-threat detection
    threat detection statistics
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    Server NTP 192.43.244.18
    WebVPN
    allow outside
    SVC disk0:/anyconnect-win-2.3.0254-k9.pkg 1 image
    enable SVC
    tunnel-group-list activate
    internal Clients_VPN group strategy
    Group Policy Clients_VPN attributes
    value of server WINS 10.1.1.12
    value of server DNS 10.1.1.12
    Protocol-tunnel-VPN IPSec
    enable IPSec-udp
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list vpnsplit
    value by default-field COMPfirm.local
    Split-dns value COMPfirm.local
    the address value vpnpool pools
    internal clientgroup group policy
    attributes of the strategy of group clientgroup
    value of server WINS 10.1.1.12
    value of server DNS 10.1.1.12
    VPN-tunnel-Protocol svc webvpn
    Split-tunnel-policy tunnelall
    WebVPN
    SVC Dungeon-Installer installed
    time to generate a new key of SVC 30
    SVC generate a new method ssl key
    SVC request no svc default
    ssluser1 encrypted password username
    username bcurtis encrypted password privilege 0 v
    username privilege 15 WPDR encrypted password
    username admin privilege 15 encrypted password
    username privilege password encrypted XXXXXXX 0
    tunnel-group M & J type remote access
    tunnel-group M & J - global attributes
    address vpnpool pool
    Vpn server authentication group
    strategy - by default-group Clients_VPN
    tunnel-group M & J ipsec-attributes
    pre-shared-key *.
    type tunnel-group sslgroup remote access
    tunnel-group sslgroup General-attributes
    address vpnpool pool
    Vpn server authentication group
    Group Policy - by default-clientgroup
    tunnel-group sslgroup webvpn-attributes
    activation of the Group sslgroup_users alias
    tunnel-group 67.42.X.X type ipsec-l2l
    IPSec-attributes tunnel-group 67.42.X.X
    pre-shared-key *.
    tunnel-group 65.102.X.X type ipsec-l2l
    IPSec-attributes tunnel-group 65.102.X.X
    pre-shared-key *.
    !
    Global class-card class
    corresponds to the global_mpc access list
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns migrated_dns_map_1
    parameters
    message-length maximum 768
    Policy-map global_policy
    class inspection_default
    inspect the migrated_dns_map_1 dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Global category
    IPS inline sensor vs0 relief
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:ZZZZZZZZZZZZZZZZZZZZZ
    : end

    Is the problem may be due to the fact that my 2 new ACL to fall "encrypt_acl-30" after "access-list extended global_mpc permit tcp any any" in the config and it flows into the implied all refuse?

    Thanks for looking at this.

    Rather than replace the static route, you can simply add a new static route to 10.1.8.0/24 as follows:

    outdoor 10.1.8.0 255.255.255.0 209.X.X.X 1

    Because it is more precise it will take precedence over your most generic static route from 10.1.0.0/16 inward.

    Good spot btw!

  • Use the remote website via VPN site-to-site

    Hi all

    We have two sites, the site has and B. At site A, we have a Web site we want to share with all of site B. Currently, site B can access the site via the VPN site-to site on X 0, which is their LAN. Nothing outside X 0 cannot access or ping to the address.

    We added access rules to allow access from the DMZ to this interface, but again, no ping and no communication at all. The other strange thing is that we see that no trip package for these access rules either.

    Any help is appreciated. Thank you.

    It seems that the demilitarized zone is not part of the VPN tunnel.

    Can you confirm that the DMZ subnet is part of local destinations on the site B and a part of the local destinations on site?

    Kevin

  • UC520 VPN Site-to-Site

    Hi all

    I have a very weird problem (at least for me)

    I have a UC520 connected to an ASA5510 via the VPN Site to Site.

    I can ping from clients behind customer UC520 behind ASA5510.

    I can ping from clients behind ASA5510 customer behind UC520

    I can access services (such as RDP) clients behind customer UC520 behind ASA5510

    I can't go to services (such as RDP, HTTP) clients behind customer ASA5510 behind UC520

    Does anyone have an idea where I should look? I tried to remove any access list by (temporarily) to a permit ip everything any line in these.

    I think it must be some sort of NAT problem, but I'm not sure.

    Thanks in advance

    You said your UC logs revealed nothing trying to connect a.11 et.12, this means that traffic is never achieved to the CPU at all, got to the UC and was abandoned before entering the LAN or traffic got to the hosts but never returned.

    Internal hosts to other outgoing routes defined on them (unlikely but possible), and you can check that traffic is through the UC outside interface at least?

  • Cisco ASA 5505 VPN Site to Site

    Hi all

    First post on the forums. I have worked with Cisco ASA 5505 for a few months and I recently bought a 2nd ASA to implement tunnel VPN Site to Site. It seems so simple in the number of videos watched on the internet. But when I did he surprise it did work for me... I've removed the tunnels, a number of times and tried to recreate. I use the VPN Wizard in the SMA to create the tunnel. Both the asa 5505 of are and have the same firmware even etc..

    I'd appreciate any help that can be directed to this problem please.  Slowly losing my mind

    Please see details below:

    Two ADMS are 7.1

    IOS

    ASA 1

    Nadia

    :

    ASA Version 9.0 (1)

    !

    hostname PAYBACK

    activate the encrypted password of HSMurh79NVmatjY0

    volatile xlate deny tcp any4 any4

    volatile xlate deny tcp any4 any6

    volatile xlate deny tcp any6 any4

    volatile xlate deny tcp any6 any6

    volatile xlate deny udp any4 any4 eq field

    volatile xlate deny udp any4 any6 eq field

    volatile xlate deny udp any6 any4 eq field

    volatile xlate deny udp any6 any6 eq field

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    local pool VPN1 192.168.50.1 - 192.168.50.254 255.255.255.0 IP mask

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    link Trunk Description of SW1

    switchport trunk allowed vlan 1,10,20,30,40

    switchport trunk vlan 1 native

    switchport mode trunk

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    interface Vlan1

    No nameif

    no level of security

    no ip address

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 92.51.193.158 255.255.255.252

    !

    interface Vlan10

    nameif inside

    security-level 100

    IP 192.168.10.1 255.255.255.0

    !

    interface Vlan20

    nameif servers

    security-level 100

    address 192.168.20.1 255.255.255.0

    !

    Vlan30 interface

    nameif printers

    security-level 100

    192.168.30.1 IP address 255.255.255.0

    !

    interface Vlan40

    nameif wireless

    security-level 100

    192.168.40.1 IP address 255.255.255.0

    !

    connection line banner welcome to the Payback loyalty systems

    boot system Disk0: / asa901 - k8.bin

    passive FTP mode

    summer time clock GMT/IDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    domain-lookup DNS servers

    DNS lookup domain printers

    DNS domain-lookup wireless

    DNS server-group DefaultDNS

    Server name 83.147.160.2

    Server name 83.147.160.130

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    ftp_server network object

    network of the Internal_Report_Server object

    Home 192.168.20.21

    Description address internal automated report server

    network of the Report_Server object

    Home 89.234.126.9

    Description of server automated reports

    service object RDP

    service destination tcp 3389 eq

    Description RDP to the server

    network of the Host_QA_Server object

    Home 89.234.126.10

    Description QA host external address

    network of the Internal_Host_QA object

    Home 192.168.20.22

    host of computer virtual Description for QA

    network of the Internal_QA_Web_Server object

    Home 192.168.20.23

    Description Web Server in the QA environment

    network of the Web_Server_QA_VM object

    Home 89.234.126.11

    Server Web Description in the QA environment

    service object SQL_Server

    destination eq 1433 tcp service

    network of the Demo_Server object

    Home 89.234.126.12

    Description server set up for the product demo

    network of the Internal_Demo_Server object

    Home 192.168.20.24

    Internal description of the demo server IP address

    network of the NETWORK_OBJ_192.168.20.0_24 object

    subnet 192.168.20.0 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_26 object

    255.255.255.192 subnet 192.168.50.0

    network of the NETWORK_OBJ_192.168.0.0_16 object

    Subnet 192.168.0.0 255.255.0.0

    service object MSSQL

    destination eq 1434 tcp service

    MSSQL port description

    VPN network object

    192.168.50.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.50.0_24 object

    192.168.50.0 subnet 255.255.255.0

    service object TS

    tcp destination eq 4400 service

    service of the TS_Return object

    tcp source eq 4400 service

    network of the External_QA_3 object

    Home 89.234.126.13

    network of the Internal_QA_3 object

    Home 192.168.20.25

    network of the Dev_WebServer object

    Home 192.168.20.27

    network of the External_Dev_Web object

    Home 89.234.126.14

    network of the CIX_Subnet object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_84.39.233.50 object

    Home 84.39.233.50

    network of the NETWORK_OBJ_92.51.193.158 object

    Home 92.51.193.158

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    the tcp destination eq ftp service object

    the purpose of the tcp destination eq netbios-ssn service

    the purpose of the tcp destination eq smtp service

    service-object TS

    the Payback_Internal object-group network

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_3

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    service-object TS

    service-object, object TS_Return

    object-group service DM_INLINE_SERVICE_4

    service-object RDP

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    object-group service DM_INLINE_SERVICE_5

    purpose purpose of the MSSQL service

    service-object RDP

    service-object TS

    object-group Protocol TCPUDP

    object-protocol udp

    object-tcp protocol

    object-group service DM_INLINE_SERVICE_6

    service-object TS

    service-object, object TS_Return

    the purpose of the service tcp destination eq www

    the purpose of the tcp destination eq https service

    Note to outside_access_in to access list that this rule allows Internet the interal server.

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-list of FTP access

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list of SMTP access

    Note to outside_access_in to access list Net Bios

    Comment from outside_access_in-SQL access list

    Comment from outside_access_in-list to access TS - 4400

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_1 any4 Internal_Report_Server

    access host access-list outside_access_in note rule internal QA

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access permitted tcp any4 object Internal_Host_QA eq www

    Notice on the outside_access_in of the access-list access to the internal Web server:

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-HTTP access list

    Comment from outside_access_in-RDP access list

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_3 any4 Internal_QA_Web_Server

    Note to outside_access_in to access list rule allowing access to the demo server

    Notice on the outside_access_in of the access-list allowed:

    Comment from outside_access_in-RDP access list

    Comment from outside_access_in-list to access MSSQL

    outside_access_in list extended access allowed object object-group DM_INLINE_SERVICE_4 any4 Internal_Demo_Server

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

    Note to outside_access_in access to the development Web server access list

    outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

    AnyConnect_Client_Local_Print deny any4 any4 ip extended access list

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq lpd

    Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 631

    print the access-list AnyConnect_Client_Local_Print Note Windows port

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 eq 9100

    access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.251 any4 eq 5353

    AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol

    AnyConnect_Client_Local_Print list extended access permit udp host 224.0.0.252 any4 eq 5355

    Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print

    AnyConnect_Client_Local_Print list extended access permitted tcp any4 any4 EQ. 137

    AnyConnect_Client_Local_Print list extended access permitted udp any4 any4 eq netbios-ns

    Payback_VPN_splitTunnelAcl list standard access allowed 192.168.20.0 255.255.255.0

    permit outside_cryptomap to access extended list ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

    pager lines 24

    Enable logging

    information recording console

    asdm of logging of information

    address record

    [email protected] / * /.

    the journaling recipient

    [email protected] / * /.

    level alerts

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 servers

    MTU 1500 printers

    MTU 1500 wireless

    no failover

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm-711 - 52.bin

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (wireless, outdoors) source Dynamics one interface

    NAT (servers, outside) no matter what source dynamic interface

    NAT (servers, external) static source Internal_Report_Server Report_Server

    NAT (servers, external) static source Internal_Host_QA Host_QA_Server

    NAT (servers, external) static source Internal_QA_Web_Server Web_Server_QA_VM

    NAT (servers, external) static source Internal_Demo_Server Demo_Server

    NAT (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    NAT (servers, external) static source Internal_QA_3 External_QA_3

    NAT (servers, external) static source Dev_WebServer External_Dev_Web

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 192.168.40.0 255.255.255.0 wireless
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal OF
    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 84.39.233.50
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1 set ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 5
    FRP sha
    second life 86400
    Crypto ikev2 activate out of service the customer port 443
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 192.168.10.0 255.255.255.0 inside
    SSH 192.168.40.0 255.255.255.0 wireless
    SSH timeout 5
    Console timeout 0

    dhcpd 192.168.0.1 dns
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.21 - 192.168.10.240 inside
    dhcpd dns 192.168.20.21 83.147.160.2 interface inside
    paybackloyalty.com dhcpd option 15 inside ascii interface
    dhcpd allow inside
    !
    dhcpd address 192.168.40.21 - 192.168.40.240 Wireless
    dhcpd dns 192.168.20.21 83.147.160.2 wireless interface
    dhcpd update dns of the wireless interface
    dhcpd option 15 ascii paybackloyalty.com wireless interface
    dhcpd activate wireless
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal Payback_VPN group strategy
    attributes of Group Policy Payback_VPN
    VPN - 10 concurrent connections
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list Payback_VPN_splitTunnelAcl
    attributes of Group Policy DfltGrpPolicy
    value of 83.147.160.2 DNS server 83.147.160.130
    VPN-tunnel-Protocol ikev1, ikev2 clientless ssl
    internal GroupPolicy_84.39.233.50 group strategy
    attributes of Group Policy GroupPolicy_84.39.233.50
    VPN-tunnel-Protocol ikev1, ikev2
    Noelle XB/IpvYaATP.2QYm username encrypted password
    Noelle username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username Éanna encrypted password privilege 0 vXILR9ZZQIsd1Naw
    Éanna attributes username
    VPN-group-policy Payback_VPN
    type of remote access service
    Michael qpbleUqUEchRrgQX of encrypted password username
    user name Michael attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, password from Danny .7fEXdzESUk6S/cC encrypted privilege 0
    user name Danny attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aileen tytrelqvV5VRX2pz encrypted password privilege 0 username
    user name Aileen attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Aidan aDu6YH0V5XaxpEPg encrypted password privilege 0 username
    Aidan username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    shane.c iqGMoWOnfO6YKXbw encrypted password username
    username shane.c attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Shane uYePLcrFadO9pBZx of encrypted password username
    user name Shane attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    username, encrypted James TdYPv1pvld/hPM0d password
    user name James attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Mark yruxpddqfyNb.qFn of encrypted password username
    user name brand attributes
    type of service admin
    username password of Mary XND5FTEiyu1L1zFD encrypted
    user name Mary attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    Massimo vs65MMo4rM0l4rVu encrypted password privilege 0 username
    Massimo username attributes
    VPN-group-policy Payback_VPN
    type of remote access service
    type tunnel-group Payback_VPN remote access
    attributes global-tunnel-group Payback_VPN
    VPN1 address pool
    Group Policy - by default-Payback_VPN
    IPSec-attributes tunnel-group Payback_VPN
    IKEv1 pre-shared-key *.
    tunnel-group 84.39.233.50 type ipsec-l2l
    tunnel-group 84.39.233.50 General-attributes
    Group - default policy - GroupPolicy_84.39.233.50
    IPSec-attributes tunnel-group 84.39.233.50
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    Global class-card class
    match default-inspection-traffic
    !
    !
    World-Policy policy-map
    Global category
    inspect the dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    Review the ip options
    inspect the netbios
    inspect the pptp
    inspect the rsh
    inspect the rtsp
    inspect the sip
    inspect the snmp
    inspect sqlnet
    inspect sunrpc
    inspect the tftp
    inspect xdmcp
    inspect the icmp error
    inspect the icmp
    !
    service-policy-international policy global
    192.168.20.21 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

    ASA 2

    ASA Version 9.0 (1)

    !

    Payback-CIX hostname

    activate the encrypted password of HSMurh79NVmatjY0

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Ethernet0/0

    switchport access vlan 2

    Speed 100

    full duplex

    !

    interface Ethernet0/1

    Description this port connects to the local network VIRTUAL 100

    switchport access vlan 100

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    switchport access vlan 100

    !

    interface Ethernet0/4

    switchport access vlan 100

    !

    interface Ethernet0/5

    switchport access vlan 100

    !

    interface Ethernet0/6

    switchport access vlan 100

    !

    interface Ethernet0/7

    switchport access vlan 100

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 84.39.233.50 255.255.255.240

    !

    interface Vlan100

    nameif inside

    security-level 100

    IP 192.168.100.1 address 255.255.255.0

    !

    banner welcome to Payback loyalty - CIX connection line

    passive FTP mode

    summer time clock gmt/idt recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS domain-lookup outside

    DNS lookup field inside

    DNS server-group defaultDNS

    Name-Server 8.8.8.8

    Server name 8.8.4.4

    permit same-security-traffic inter-interface

    network obj_any object

    subnet 0.0.0.0 0.0.0.0

    network of the host-CIX-1 object

    host 192.168.100.2

    Description This is the VM server host machine

    network object host-External_CIX-1

    Home 84.39.233.51

    Description This is the external IP address of the server the server VM host

    service object RDP

    source between 1-65535 destination eq 3389 tcp service

    network of the Payback_Office object

    Home 92.51.193.158

    service object MSQL

    destination eq 1433 tcp service

    network of the Development_OLTP object

    Home 192.168.100.10

    Description for Eiresoft VM

    network of the External_Development_OLTP object

    Home 84.39.233.52

    Description This is the external IP address for the virtual machine for Eiresoft

    network of the Eiresoft object

    Home 146.66.160.70

    Contractor s/n description

    network of the External_TMC_Web object

    Home 84.39.233.53

    Description Public address to the TMC Web server

    network of the TMC_Webserver object

    Home 192.168.100.19

    Internal description address TMC Webserver

    network of the External_TMC_OLTP object

    Home 84.39.233.54

    External targets OLTP IP description

    network of the TMC_OLTP object

    Home 192.168.100.18

    description of the interal target IP address

    network of the External_OLTP_Failover object

    Home 84.39.233.55

    IP failover of the OLTP Public description

    network of the OLTP_Failover object

    Home 192.168.100.60

    Server failover OLTP description

    network of the servers object

    subnet 192.168.20.0 255.255.255.0

    being Wired network

    192.168.10.0 subnet 255.255.255.0

    the subject wireless network

    192.168.40.0 subnet 255.255.255.0

    network of the NETWORK_OBJ_192.168.100.0_24 object

    255.255.255.0 subnet 192.168.100.0

    network of the NETWORK_OBJ_192.168.10.0_24 object

    192.168.10.0 subnet 255.255.255.0

    network of the Eiresoft_2nd object

    Home 137.117.217.29

    Description 2nd Eiresoft IP

    network of the Dev_Test_Webserver object

    Home 192.168.100.12

    Description address internal to the Test Server Web Dev

    network of the External_Dev_Test_Webserver object

    Home 84.39.233.56

    Description This is the PB Dev Test Webserver

    network of the NETWORK_OBJ_192.168.1.0_24 object

    subnet 192.168.1.0 255.255.255.0

    object-group service DM_INLINE_SERVICE_1

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_2

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_3

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_4

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_5

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_6

    service-object MSQL

    service-object RDP

    the Payback_Intrernal object-group network

    object-network servers

    Wired network-object

    wireless network object

    object-group service DM_INLINE_SERVICE_7

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_8

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_9

    service-object MSQL

    service-object RDP

    object-group service DM_INLINE_SERVICE_10

    service-object MSQL

    service-object RDP

    the tcp destination eq ftp service object

    object-group service DM_INLINE_SERVICE_11

    service-object RDP

    the tcp destination eq ftp service object

    outside_access_in list extended access allow object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-host-1

    Note to access list OLTP Development Office of recovery outside_access_in

    outside_access_in list extended access allow DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP object-group

    Comment from outside_access_in-access Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver object-group

    Note to outside_access_in access to OLTP for target recovery Office Access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover object-group

    Note to outside_access_in access-list that's allowing access of the Eiresoft on the failover OLTP server

    outside_access_in list extended access allow DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover object-group

    Comment from outside_access_in-access list access for the 2nd period of INVESTIGATION of Eiresoft

    outside_access_in list extended access allow DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP object-group

    Note to outside_access_in access from the 2nd IP Eiresoft access list

    outside_access_in list extended access allow DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver object-group

    outside_access_in list extended access allow DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP object-group

    outside_cryptomap to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.10.0 255.255.255.0

    pager lines 24

    Enable logging

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    ICMP unreachable rate-limit 1 burst-size 1

    don't allow no asdm history

    ARP timeout 14400

    no permit-nonconnected arp

    NAT (inside, outside) source Dynamics one interface

    NAT (inside, outside) static source CIX-host-1 External_CIX-host-1

    NAT (inside, outside) static source Development_OLTP External_Development_OLTP

    NAT (inside, outside) static source TMC_Webserver External_TMC_Web

    NAT (inside, outside) static source TMC_OLTP External_TMC_OLTP

    NAT (inside, outside) static source OLTP_Failover External_OLTP_Failover

    NAT (inside, outside) static source Dev_Test_Webserver External_Dev_Test_Webserver

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    NAT (inside, outside) static source NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

    Timeout xlate 03:00

    Pat-xlate timeout 0:00:30

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    Floating conn timeout 0:00:00

    dynamic-access-policy-registration DfltAccessPolicy

    identity of the user by default-domain LOCAL

    the ssh LOCAL console AAA authentication

    Enable http server

    http 92.51.193.156 255.255.255.252 outside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit

    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac

    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit

    Crypto ipsec ikev2 ipsec-proposal OF

    encryption protocol esp
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 proposal ipsec 3DES
    Esp 3des encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES
    Esp aes encryption protocol
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 ipsec-proposal AES192
    Protocol esp encryption aes-192
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec ikev2 AES256 ipsec-proposal
    Protocol esp encryption aes-256
    Esp integrity sha - 1, md5 Protocol
    Crypto ipsec pmtu aging infinite - the security association
    card crypto outside_map 1 match address outside_cryptomap
    card crypto outside_map 1 set pfs
    peer set card crypto outside_map 1 92.51.193.158
    card crypto outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 1jeu ikev2 AES AES192 AES256 3DES ipsec-proposal
    outside_map interface card crypto outside
    trustpool crypto ca policy
    IKEv2 crypto policy 1
    aes-256 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 10
    aes-192 encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 20
    aes encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 30
    3des encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    IKEv2 crypto policy 40
    the Encryption
    integrity sha
    Group 2 of 5
    FRP sha
    second life 86400
    Crypto ikev2 allow outside
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    authentication crack
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 20
    authentication rsa - sig
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 40
    authentication crack
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 50
    authentication rsa - sig
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 60
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 70
    authentication crack
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 80
    authentication rsa - sig
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 90
    preshared authentication
    aes encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 100
    authentication crack
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 110
    authentication rsa - sig
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 120
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 130
    authentication crack
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 140
    authentication rsa - sig
    the Encryption
    sha hash
    Group 2
    life 86400
    IKEv1 crypto policy 150
    preshared authentication
    the Encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 77.75.100.208 255.255.255.240 outside
    SSH 92.51.193.156 255.255.255.252 outside
    SSH timeout 5
    Console timeout 0

    dhcpd outside auto_config
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    internal GroupPolicy_92.51.193.158 group strategy
    attributes of Group Policy GroupPolicy_92.51.193.158
    VPN-tunnel-Protocol ikev1, ikev2
    username password 6e6Djaz3W/XH59zX gordon encrypted privilege 15
    tunnel-group 92.51.193.158 type ipsec-l2l
    tunnel-group 92.51.193.158 General-attributes
    Group - default policy - GroupPolicy_92.51.193.158
    IPSec-attributes tunnel-group 92.51.193.158
    IKEv1 pre-shared-key *.
    remote control-IKEv2 pre-shared-key authentication *.
    pre-shared-key authentication local IKEv2 *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
    : end

    Hello

    There are some clear problems I see on a quick glance. These are not related to the actual VPN configuration but rather the NAT configurations.

    All your configuration of NAT CLI format above are configured as manual NAT / double NAT in Section 1. This means that the appliance NAT configurations have been added to the same section of the NAT configurations and scheduling of the NAT inside this Section rules is the cause of the problem for the L2L VPN connection for some.

    Here are a few suggestions on what to change

    ASA1

    Minimal changes

    the object of the LAN network

    192.168.10.0 subnet 255.255.255.0

    being REMOTE-LAN network

    255.255.255.0 subnet 192.168.100.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM. It would do the same thing if it has been moved to the top, but I generally find the creation of the 'object' with descriptive names easier on the eyes in the long term.

    Other suggestions

    These changes are not necessary with regard to the VPN L2L. Here are some suggestions how to clean a part of NAT configurations.

    PAT-SOURCE network object-group

    source networks internal PAT Description

    object-network 192.168.10.0 255.255.255.0

    object-network 192.168.20.0 255.255.255.0

    object-network 192.168.40.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    no nat (wireless, outdoors) source Dynamics one interface

    no nat (servers, outside) no matter what source dynamic interface

    The above configuration creates a "object-group" that lists all internal networks that you have dynamic PAT configured so far. It then uses the ' object-group ' in a command unique 'nat' to manage the dynamic PAT for all internal networks (with the exception of printers who had nothing at first). Then we remove the old PAT dynamic configurations.

    Contains the command "nat" "car after" because it moving this "nat" configuration to the bottom of the NAT rules. For this reason its less likely to cause problems in the future.

    network of the SERVERS object

    subnet 192.168.20.0 255.255.255.0

    network of the VPN-POOL object

    192.168.50.0 subnet 255.255.255.0

    NAT (servers, external) 2 static static source of destination of SERVERS SERVERS VPN-VPN-POOL

    no nat (servers, external) static source NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 non-proxy-arp-search of route static destination

    The above configuration is supposed to create a NAT0 configuration for traffic between the network and the pool of Client VPN server. To my knowledge the old configuration that remove us is not used because the traffic would have matched PAT rule dynamic server yet rather than this rule which is later in the NAT configurations and would not be addressed.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    ASA2

    Minimal changes

    the object of the LAN network

    255.255.255.0 subnet 192.168.100.0

    being REMOTE-LAN network

    192.168.10.0 subnet 255.255.255.0

    NAT (inside, outside) 1 static source LAN LAN to static destination REMOTE - LAN LAN

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 non-proxy-arp-search of route static destination

    That means foregoing is first of all create 'object' that contain the local LAN and remote LANs. Then, it creates a NAT0 rule and adds to the top rules NAT. (number 1). It is essentially of at least one of the problems preventing the VPN operation or traffic that cross.

    Finally, we remove the old rule that generated the ASDM.

    Other suggestions

    PAT-SOURCE network object-group

    object-network 192.168.100.0 255.255.255.0

    NAT interface (it is, outside) the after-service automatic PAT-SOURCE dynamic source

    No source (indoor, outdoor) nat Dynamics one interface

    The above configuration is supposed to do the same thing with the other ASA. Although given that this network contains only a single subnet it cleans the "nat" configurations exist that much. But the order of the "nat" configurations is changed to avoid further problems with the NAT order.

    no nat source (indoor, outdoor) public static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination

    It seems to me that network 192.168.1.0/24 is not configured from anywhere in your network. Therefore, the above 'nat' configuration seems useless, can be deleted. If I missed something and its use in then of course do not remove it.

    I suggest trying the changes related to VPN L2L first NAT0 configurations and test traffic. So who gets the work of connectivity, then you could consider changing other NAT configurations. There are other things that could be changed also in what concerns THAT static NAT servers but that probably better left for another time.

    Hope this makes any sense and has helped

    Remember to mark a reply as the answer if it answered your question.

    Feel free to ask more if necessary

    -Jouni

Maybe you are looking for

  • On garageband how we loop?

    On garageband how we loop?

  • Browser IMAC?

    Hi, my Bank just to say that I need to update my browser before they let me new.   I think I got Mountain Lion, so I tried to upgrade to El Capitan, but it tells me that I need to have at least 2 GB. HELP Please!

  • Float

    Hello Ex: How do I round floating point data ' 0.45 ' to ' 0.4 ' or ' 0.5? Thank you

  • Cannot install my printer (hpdeskjetf4580) on my new computer laptop compaq presario cq57

    Original title: I am trying to install my printer (hpdeskjetf4580) on my new computer laptop compaq presario cq57 and work willnot installation disk and I downloaded all the driver and Assistant I can find am trying to install my printer (hpdeskjetf4

  • "Sleep" mode does not work.

    Original title: I am running windows xp home w/svc Pack3 I have my set screen under pwr options to close after 10 min., but it does not do so for the last day