--TEST-FW-- interface Ethernet1/2 description Test wan speed 1000 duplex full nameif wan security-level 90 ip address 192.168.97.1 255.255.255.0 interface Ethernet1/3 description Test Leased Line speed 1000 duplex full nameif leased-line-vpn security-level 50 ip address 192.168.10.1 255.255.255.0 interface Tunnel1 description To Leased Line B-TEST-FW nameif tun1 ip address 192.168.20.1 255.255.255.0 tunnel source interface leased-line-vpn tunnel destination 192.168.10.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROF interface Tunnel2 description To TEST-wan B-TEST-FW nameif tun2 ip address 192.168.19.1 255.255.255.0 tunnel source interface wan tunnel destination 192.168.205.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROF TEST-FW# sh crypto ipsec sa interface: tun1 Crypto map tag: __vti-crypto-map-5-0-1, seq num: 65280, local addr: 192.168.10.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.10.2 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 192.168.10.1/500, remote crypto endpt.: 192.168.10.2/500 path mtu 1500, ipsec overhead 55(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: F20A94F6 current inbound spi : A46CE6FB inbound esp sas: spi: 0xA46CE6FB (2758600443) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4682, crypto-map: __vti-crypto-map-5-0-1 sa timing: remaining key lifetime (kB/sec): (4331520/1440) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xF20A94F6 (4060779766) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4682, crypto-map: __vti-crypto-map-5-0-1 sa timing: remaining key lifetime (kB/sec): (4193280/1440) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 interface: tun2 Crypto map tag: __vti-crypto-map-7-0-2, seq num: 65280, local addr: 192.168.97.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.205.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 192.168.97.1/500, remote crypto endpt.: 192.168.205.1/500 path mtu 1500, ipsec overhead 55(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: BB9B0505 current inbound spi : 94AA0967 inbound esp sas: spi: 0x94AA0967 (2494171495) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4690, crypto-map: __vti-crypto-map-7-0-2 sa timing: remaining key lifetime (kB/sec): (4147200/3131) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xBB9B0505 (3147498757) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4690, crypto-map: __vti-crypto-map-7-0-2 sa timing: remaining key lifetime (kB/sec): (3916800/3131) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Gateway of last resort is 192.168.97.2 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.97.2, wan C 192.168.10.0 255.255.255.0 is directly connected, leased-line-vpn L 192.168.10.1 255.255.255.255 is directly connected, leased-line-vpn C 192.168.19.0 255.255.255.0 is directly connected, tun2 L 192.168.19.1 255.255.255.255 is directly connected, tun2 C 192.168.20.0 255.255.255.0 is directly connected, tun1 L 192.168.20.1 255.255.255.255 is directly connected, tun1 C 192.168.80.0 255.255.255.0 is directly connected, inside L 192.168.80.1 255.255.255.255 is directly connected, inside C 192.168.97.0 255.255.255.0 is directly connected, wan L 192.168.97.1 255.255.255.255 is directly connected, wan TEST-FW# packet-tracer input inside tcp 10.152.115.25 8888 192.168.205.11 22 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.97.2 using egress ifc wan Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group acl-inside in interface inside access-list acl-inside remark ##### MAINTENANCE SERVICES access-list acl-inside remark CM2469, Implemented 2019-02-08 access-list acl-inside extended permit tcp object-group NET-ECC-WKS object-group NET-ALL-EXTERNAL-TESTENV-NETWORKS object-group SERVICE-NET-ACCESS-MAINT-TCP object-group network NET-ECC-WKS network-object 10.152.115.0 255.255.255.0 object-group network NET-ALL-EXTERNAL-TESTENV-NETWORKS group-object NET-WAN object-group service SERVICE-NET-ACCESS-MAINT-TCP tcp port-object eq ssh port-object eq 3389 port-object eq 445 port-object eq sqlnet port-object eq 1523 port-object eq www port-object eq https port-object eq 3343 Additional Information: Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 32285850, packet dispatched to next module Phase: 9 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.97.2 using egress ifc wan Phase: 10 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address d4ad.7114.a6f9 hits 11619366 reference 99 Result: input-interface: inside input-status: up input-line-status: up output-interface: wan output-status: up output-line-status: up Action: allow --B-TEST-FW-- interface Ethernet1/2 description Test wan speed 1000 duplex full nameif wan security-level 90 ip address 192.168.205.1 255.255.255.0 interface Ethernet1/3 description Test Leased Line speed 1000 duplex full nameif leased-line-vpn security-level 50 ip address 192.168.10.2 255.255.255.0 interface Tunnel1 description To Leased Line TEST-FW nameif tun1 ip address 192.168.20.2 255.255.255.0 tunnel source interface leased-line-vpn tunnel destination 192.168.10.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROF interface Tunnel2 description To TEST-wan TEST-FW nameif tun2 ip address 192.168.19.2 255.255.255.0 tunnel source interface wan tunnel destination 192.168.97.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC-PROF B-TEST-FW# sh crypto ipsec sa interface: tun1 Crypto map tag: __vti-crypto-map-9-0-1, seq num: 65280, local addr: 192.168.10.2 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.10.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 192.168.10.2/500, remote crypto endpt.: 192.168.10.1/500 path mtu 1500, ipsec overhead 55(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: A46CE6FB current inbound spi : F20A94F6 inbound esp sas: spi: 0xF20A94F6 (4060779766) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4705, crypto-map: __vti-crypto-map-9-0-1 sa timing: remaining key lifetime (kB/sec): (4239360/26369) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xA46CE6FB (2758600443) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4705, crypto-map: __vti-crypto-map-9-0-1 sa timing: remaining key lifetime (kB/sec): (4101120/26369) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 interface: tun2 Crypto map tag: __vti-crypto-map-10-0-2, seq num: 65280, local addr: 192.168.205.1 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.97.1 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 192.168.205.1/500, remote crypto endpt.: 192.168.97.1/500 path mtu 1500, ipsec overhead 55(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 94AA0967 current inbound spi : BB9B0505 inbound esp sas: spi: 0xBB9B0505 (3147498757) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4714, crypto-map: __vti-crypto-map-10-0-2 sa timing: remaining key lifetime (kB/sec): (3962880/28060) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0x94AA0967 (2494171495) SA State: active transform: esp-aes-gcm-256 esp-null-hmac no compression in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, VTI, } slot: 0, conn_id: 4714, crypto-map: __vti-crypto-map-10-0-2 sa timing: remaining key lifetime (kB/sec): (4008960/28060) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Gateway of last resort is 192.168.205.2 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.205.2, wan C 192.168.10.0 255.255.255.0 is directly connected, leased-line-vpn L 192.168.10.2 255.255.255.255 is directly connected, leased-line-vpn C 192.168.19.0 255.255.255.0 is directly connected, tun2 L 192.168.19.2 255.255.255.255 is directly connected, tun2 C 192.168.20.0 255.255.255.0 is directly connected, tun1 L 192.168.20.2 255.255.255.255 is directly connected, tun1 C 192.168.143.0 255.255.255.0 is directly connected, inside L 192.168.143.1 255.255.255.255 is directly connected, inside S 192.168.144.0 255.255.255.0 [1/0] via 192.168.143.2, inside C 192.168.205.0 255.255.255.0 is directly connected, wan L 192.168.205.1 255.255.255.255 is directly connected, wan B-TEST-FW# sh nat Auto NAT Policies (Section 2) 1 (inside) to (any) source static NAT-192.168.144.11 192.168.205.11 translate_hits = 3711, untranslate_hits = 138450