topic Re: ASA 5506-X 9.6 Problems routing specific destinations over second WAN in Network Security https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335746#M969877 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178747">@Flavio Miranda</a> wrote:<BR /> <P>&nbsp;</P> <P><SPAN>"What a want to accomplish is that all trafic which is sent to destinations 10.0.0.0/8 and 192.200.0.0/16 is sent over the WAN_PON Interface.&nbsp;all other internet trafic must be sent to the normal WAN."</SPAN></P> <P>&nbsp;</P> <P><SPAN>As per the config file, this is already ok.</SPAN></P> <P>&nbsp;</P> <P>route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1 &gt;&gt;&gt;&gt; This tell the firewall that everyhing to WAN</P> <P>route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1 &gt;&gt;&gt;&gt; This tell the firewall that network 10 must be sent to WAN_PON</P> <P>route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.168.4 must be sent to VLAN10&nbsp;</SPAN></P> <P>route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.200&nbsp; must be sent to WAN_PON</SPAN></P> <P>&nbsp;</P> <P><SPAN>"On the Branch Office, which is connected by an site-to-site VPN with the HQ, i also want to be able to access those networks at the WAN_PON Interface at the HQ."</SPAN></P> <P><SPAN>&nbsp;Considering you have those network permitted on your VPN policy, then, you need to add routing on the Branch Office to sent those traffic over the VPN.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>-If I helped you somehow, please, rate it as useful.-</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P><SPAN>First, thanks for pointing me in the direction. The first thing is indeed working.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Now the second: Help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P> <P><SPAN>The problem is that i can't figure out how to permitt those networks on the VPN Policy and adding the route on the branch office to sent those traffic over the VPN</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Feb 2018 10:00:29 GMT Robbert Tol 2018-02-22T10:00:29Z ASA 5506-X 9.6 Problems routing specific destinations over second WAN https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335562#M969875 <P>Hi there,</P> <P>&nbsp;</P> <P>I am an newby in Cisco ASA and before the customer had two Zyxel Firewall's which had any problems with the Site to site VPN's and the second WAN on the HQ Location.&nbsp;</P> <P>&nbsp;</P> <P>The problem is as follow:</P> <P>on the HQ, the ASA has two internal VLAN's (Production and Guest) and two WAN Interfaces.</P> <P>The First WAN Interface (name WAN) is for normal internet traffic and has also an Site to Site with the branche office. On the Second WAN Port (WAN_PON) is an DealerNetwork connected (kind of an intranet secured) on which serveral servers deliver apps and webservices.&nbsp;</P> <P>&nbsp;</P> <P>What a want to accomplish is that all trafic which is sent to destinations 10.0.0.0/8 and 192.200.0.0/16 is sent over the WAN_PON Interface.&nbsp;all other internet trafic must be sent to the normal WAN.</P> <P>&nbsp;</P> <P>On the Branch Office, which is connected by an site-to-site VPN with the HQ, i also want to be able to access those networks at the WAN_PON Interface at the HQ.</P> <P>&nbsp;</P> <P>I'm so sorry that i can't figure it out, so please help if you can.</P> <P>Below you find the config's of both ASA's. Both are running v9.6(4) software.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>&nbsp;</P> <P>Robbert</P> <P>&nbsp;</P> <P>HQ Config:</P> <P class="p1">&nbsp;</P> <P class="p2">hostname ASA5506X-VDL</P> <P class="p2">domain-name company.local</P> <P class="p2">enable password $sha512$5000$IvpLaK7wslmhXCYc77Z2Dg==$IMVR8WShj36y5fUcEe0Uqg== pbkdf2</P> <P class="p2">names</P> <P class="p2">no mac-address auto</P> <P class="p2">ip local pool VPN_DHCP_Pool 192.168.10.1-192.168.10.200 mask 255.255.255.0</P> <P class="p1">&nbsp;</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1</P> <P class="p2">description Inside LAN Interface ASA5506-X</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1.1</P> <P class="p2">description company VLAN10 Interface LAN Netwerk</P> <P class="p2">vlan 10</P> <P class="p2">nameif VLAN10</P> <P class="p2">security-level 100</P> <P class="p2">ip address 192.168.100.1 255.255.255.0</P> <P class="p2">policy-route route-map PON_MAP</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/1.2</P> <P class="p2">description company VLAN20 Interface Guest Netwerk</P> <P class="p2">vlan 20</P> <P class="p2">nameif VLAN20</P> <P class="p2">security-level 25</P> <P class="p2">ip address 192.168.250.1 255.255.255.0</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/2</P> <P class="p2">description WAN Interface Tele2 Fiber Internet</P> <P class="p2">speed 100</P> <P class="p2">duplex full</P> <P class="p2">nameif WAN</P> <P class="p2">security-level 0</P> <P class="p2">ip address 1.1.1.94 255.255.255.248</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/3</P> <P class="p2">description PON WAN Interface</P> <P class="p2">nameif WAN_PON</P> <P class="p2">security-level 0</P> <P class="p2">ip address 10.49.240.10 255.255.255.0</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/4</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/5</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/6</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/7</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface GigabitEthernet1/8</P> <P class="p2">shutdown</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">!</P> <P class="p2">interface Management1/1</P> <P class="p2">management-only</P> <P class="p2">no nameif</P> <P class="p2">no security-level</P> <P class="p2">no ip address</P> <P class="p2">boot system disk0:/asa964-lfbff-k8.SPA</P> <P class="p2">ftp mode passive</P> <P class="p2">dns domain-lookup VLAN10</P> <P class="p2">dns domain-lookup VLAN20</P> <P class="p2">dns domain-lookup WAN</P> <P class="p2">dns domain-lookup WAN_PON</P> <P class="p2">dns server-group DefaultDNS</P> <P class="p2">name-server 8.8.8.8</P> <P class="p2">name-server 8.8.4.4</P> <P class="p2">name-server 10.150.1.3</P> <P class="p2">name-server 192.168.100.21</P> <P class="p2">domain-name company.local</P> <P class="p2">same-security-traffic permit inter-interface</P> <P class="p2">same-security-traffic permit intra-interface</P> <P class="p2">object network Gonzo_LAN</P> <P class="p2">host 192.168.100.22</P> <P class="p2">description Microsoft Exchange 2010 Server company</P> <P class="p2">object network Gonzo_WAN</P> <P class="p2">host 1.1.1.90</P> <P class="p2">description Microsoft Exchange 2010 Server company WAN Address</P> <P class="p2">object network Gonzo_LAN_SMTP</P> <P class="p2">host 192.168.100.22</P> <P class="p2">object network Gonzo_LAN_HTTPS</P> <P class="p2">host 192.168.100.22</P> <P class="p2">object network Camera_LAN</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_WAN</P> <P class="p2">host 1.1.1.92</P> <P class="p2">object network Camera_LAN_554</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_LAN_8000</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Camera_LAN_8099</P> <P class="p2">host 192.168.100.10</P> <P class="p2">object network Hyper_LAN</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Hyper_WAN</P> <P class="p2">host 1.1.1.91</P> <P class="p2">object network Hyper_LAN_HTTPS</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Hyper_LAN_17990</P> <P class="p2">host 192.168.100.250</P> <P class="p2">object network Zoetermeer_LAN</P> <P class="p2">subnet 192.168.1.0 255.255.255.0</P> <P class="p2">object network Zoetermeer_WAN</P> <P class="p2">host 2.2.2.98</P> <P class="p2">object network VLAN10_Subnet</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">description VLAN10 company LAN Subnet</P> <P class="p2">object network VLAN20_Subnet</P> <P class="p2">subnet 192.168.250.0 255.255.255.0</P> <P class="p2">description VLAN20 company Guest Subnet</P> <P class="p2">object network NETWORK_OBJ_192.168.10.0_24</P> <P class="p2">subnet 192.168.10.0 255.255.255.0</P> <P class="p2">object network NETWORK_OBJ_192.168.100.0_24</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">object network PON_192_200_0_0</P> <P class="p2">subnet 192.200.0.0 255.255.0.0</P> <P class="p2">object network PON_10_0_0_0</P> <P class="p2">subnet 10.0.0.0 255.0.0.0</P> <P class="p2">object network VLAN10_PON</P> <P class="p2">subnet 192.168.100.0 255.255.255.0</P> <P class="p2">object-group service Gonzo_Services</P> <P class="p2">service-object tcp destination eq https</P> <P class="p2">service-object tcp destination eq smtp</P> <P class="p2">object-group service Camera_Services</P> <P class="p2">service-object tcp destination eq rtsp</P> <P class="p2">service-object tcp destination eq 8000</P> <P class="p2">service-object tcp destination eq 8099</P> <P class="p2">object-group service Hyper_Services</P> <P class="p2">service-object tcp destination eq https</P> <P class="p2">service-object tcp destination eq 17990</P> <P class="p2">object-group network PON_Network_Group</P> <P class="p2">network-object object PON_10_0_0_0</P> <P class="p2">network-object object PON_192_200_0_0</P> <P class="p2">access-list outside_inside extended permit icmp any any echo</P> <P class="p2">access-list outside_inside extended permit udp any any range 33434 33523</P> <P class="p2">access-list outside_inside extended permit icmp any any time-exceeded</P> <P class="p2">access-list outside_inside extended permit icmp any any source-quench</P> <P class="p2">access-list outside_inside extended permit icmp any any echo-reply</P> <P class="p2">access-list outside_inside extended permit icmp any any unreachable</P> <P class="p2">access-list outside_inside extended permit object-group Gonzo_Services any object Gonzo_LAN</P> <P class="p2">access-list outside_inside extended permit object-group Camera_Services any object Camera_LAN</P> <P class="p2">access-list outside_inside extended permit object-group Hyper_Services any object Hyper_LAN</P> <P class="p2">access-list outside_inside extended deny ip any any</P> <P class="p2">access-list ICMPACL extended permit icmp any any</P> <P class="p2">access-list outbound extended permit tcp host 192.168.100.22 any eq smtp</P> <P class="p2">access-list outbound extended deny tcp any any eq smtp</P> <P class="p2">access-list outbound extended permit ip any any</P> <P class="p2">access-list PON_Inside extended permit icmp any any echo</P> <P class="p2">access-list PON_Inside extended permit udp any any range 33434 33523</P> <P class="p2">access-list PON_Inside extended permit icmp any any time-exceeded</P> <P class="p2">access-list PON_Inside extended permit icmp any any source-quench</P> <P class="p2">access-list PON_Inside extended permit icmp any any echo-reply</P> <P class="p2">access-list PON_Inside extended permit icmp any any unreachable</P> <P class="p2">access-list Split_Tunnel standard permit 192.168.100.0 255.255.255.0</P> <P class="p2">access-list Split_Tunnel standard permit 192.168.4.0 255.255.255.0</P> <P class="p2">access-list WAN_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object Zoetermeer_LAN</P> <P class="p2">access-list ACL_PONNET standard permit 10.0.0.0 255.0.0.0</P> <P class="p2">pager lines 24</P> <P class="p2">logging enable</P> <P class="p2">logging asdm informational</P> <P class="p2">mtu VLAN10 1500</P> <P class="p2">mtu VLAN20 1500</P> <P class="p2">mtu WAN 1500</P> <P class="p2">mtu WAN_PON 1500</P> <P class="p2">icmp unreachable rate-limit 1 burst-size 1</P> <P class="p2">asdm image disk0:/asdm-791-151.bin</P> <P class="p2">no asdm history enable</P> <P class="p2">arp timeout 14400</P> <P class="p2">no arp permit-nonconnected</P> <P class="p2">arp rate-limit 16384</P> <P class="p2">nat (VLAN10,WAN) source static any any destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup</P> <P class="p2">nat (VLAN10,WAN) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Zoetermeer_LAN Zoetermeer_LAN no-proxy-arp route-lookup</P> <P class="p2">!</P> <P class="p2">object network Gonzo_LAN</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN</P> <P class="p2">object network Gonzo_LAN_SMTP</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN service tcp smtp smtp</P> <P class="p2">object network Gonzo_LAN_HTTPS</P> <P class="p2">nat (VLAN10,WAN) static Gonzo_WAN service tcp https https</P> <P class="p2">object network Camera_LAN_554</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp rtsp rtsp</P> <P class="p2">object network Camera_LAN_8000</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp 8000 8000</P> <P class="p2">object network Camera_LAN_8099</P> <P class="p2">nat (VLAN10,WAN) static Camera_WAN service tcp 8099 8099</P> <P class="p2">object network Hyper_LAN_HTTPS</P> <P class="p2">nat (VLAN10,WAN) static Hyper_WAN service tcp https https</P> <P class="p2">object network Hyper_LAN_17990</P> <P class="p2">nat (VLAN10,WAN) static Hyper_WAN service tcp 17990 17990</P> <P class="p2">object network VLAN10_Subnet</P> <P class="p2">nat (VLAN10,WAN) dynamic interface</P> <P class="p2">object network VLAN20_Subnet</P> <P class="p2">nat (VLAN20,WAN) static Camera_WAN</P> <P class="p2">object network VLAN10_PON</P> <P class="p2">nat (VLAN10,WAN_PON) static interface</P> <P class="p2">access-group outside_inside in interface WAN</P> <P class="p2">access-group PON_Inside in interface WAN_PON</P> <P class="p2">!</P> <P class="p2">route-map PON_MAP permit 10</P> <P class="p2">match ip address ACL_PONNET</P> <P class="p2">set interface WAN_PON</P> <P class="p2">set ip default next-hop 10.49.240.1</P> <P class="p1">&nbsp;</P> <P class="p2">!</P> <P class="p2">route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1</P> <P class="p2">route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1</P> <P class="p2">route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1</P> <P class="p2">route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1</P> <P class="p2">timeout xlate 3:00:00</P> <P class="p2">timeout pat-xlate 0:00:30</P> <P class="p2">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</P> <P class="p2">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P> <P class="p2">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P> <P class="p2">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P> <P class="p2">timeout tcp-proxy-reassembly 0:01:00</P> <P class="p2">timeout floating-conn 0:00:00</P> <P class="p2">timeout conn-holddown 0:00:15</P> <P class="p2">aaa-server Radius-Kermit protocol radius</P> <P class="p2">aaa-server Radius-Kermit (VLAN10) host 192.168.100.21</P> <P class="p2">key *****</P> <P class="p2">radius-common-pw vdL!nd3n2018?</P> <P class="p2">user-identity default-domain LOCAL</P> <P class="p2">aaa authentication ssh console LOCAL</P> <P class="p2">http server enable</P> <P class="p2">http 192.168.100.0 255.255.255.0 VLAN10</P> <P class="p2">no snmp-server location</P> <P class="p2">no snmp-server contact</P> <P class="p2">service sw-reset-button</P> <P class="p1">&nbsp;</P> <P class="p2">******* REMOVED CRYPTO LINES FOR LENGTH ********</P> <P class="p1">&nbsp;</P> <P class="p2">crypto ikev2 enable WAN client-services port 443</P> <P class="p2">crypto ikev2 remote-access trustpoint vpn_company-groep_nl</P> <P class="p2">crypto ikev1 enable WAN</P> <P class="p2">crypto ikev1 policy 10</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes-256</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 20</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes-256</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 40</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes-192</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 50</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes-192</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 70</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption aes</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 80</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption aes</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 100</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption 3des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 110</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption 3des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 130</P> <P class="p2">authentication pre-share</P> <P class="p2">encryption des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">crypto ikev1 policy 140</P> <P class="p2">authentication rsa-sig</P> <P class="p2">encryption des</P> <P class="p2">hash sha</P> <P class="p2">group 2</P> <P class="p2">lifetime 86400</P> <P class="p2">telnet timeout 5</P> <P class="p2">no ssh stricthostkeycheck</P> <P class="p2">ssh 192.168.100.0 255.255.255.0 VLAN10</P> <P class="p2">ssh timeout 5</P> <P class="p2">ssh cipher encryption all</P> <P class="p2">ssh key-exchange group dh-group1-sha1</P> <P class="p2">console timeout 0</P> <P class="p1">&nbsp;</P> <P class="p2">dhcpd dns 8.8.8.8 8.8.4.4</P> <P class="p2">!</P> <P class="p2">dhcpd address 192.168.250.10-192.168.250.200 VLAN20</P> <P class="p2">dhcpd enable VLAN20</P> <P class="p2">!</P> <P class="p2">threat-detection basic-threat</P> <P class="p2">threat-detection statistics access-list</P> <P class="p2">no threat-detection statistics tcp-intercept</P> <P class="p2">ssl trust-point vpn_company-groep_nl VLAN10</P> <P class="p2">ssl trust-point vpn_company-groep_nl VLAN20</P> <P class="p2">ssl trust-point vpn_company-groep_nl WAN</P> <P class="p2">ssl trust-point vpn_company-groep_nl WAN_PON</P> <P class="p2">webvpn</P> <P class="p2">enable WAN</P> <P class="p2">anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 1</P> <P class="p2">anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 2</P> <P class="p2">anyconnect profiles ASA5506-X_company_client_profile disk0:/ASA5506-X_company_client_profile.xml</P> <P class="p2">anyconnect enable</P> <P class="p2">tunnel-group-list enable</P> <P class="p2">cache</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>disable</P> <P class="p2">error-recovery disable</P> <P class="p2">group-policy "GroupPolicy_ASA5506-X company" internal</P> <P class="p2">group-policy "GroupPolicy_ASA5506-X company" attributes</P> <P class="p2">wins-server none</P> <P class="p2">dns-server value 192.168.100.21</P> <P class="p2">vpn-tunnel-protocol ikev2 ssl-client</P> <P class="p2">split-tunnel-policy excludespecified</P> <P class="p2">split-tunnel-network-list value Split_Tunnel</P> <P class="p2">default-domain value company.local</P> <P class="p2">webvpn</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>anyconnect profiles value ASA5506-X_company_client_profile type user</P> <P class="p2">group-policy GroupPolicy_2.2.2.98 internal</P> <P class="p2">group-policy GroupPolicy_2.2.2.98 attributes</P> <P class="p2">vpn-tunnel-protocol ikev1 ikev2</P> <P class="p2">dynamic-access-policy-record DfltAccessPolicy</P> <P class="p2">username admin password $sha512$5000$mXimwUYVhPk6HBnK+ct8NQ==$sj3JFxcM4u/aw/0LN3W9FQ== pbkdf2 privilege 15</P> <P class="p2">tunnel-group "ASA5506-X company" type remote-access</P> <P class="p2">tunnel-group "ASA5506-X company" general-attributes</P> <P class="p2">address-pool VPN_DHCP_Pool</P> <P class="p2">authentication-server-group Radius-Kermit</P> <P class="p2">default-group-policy "GroupPolicy_ASA5506-X company"</P> <P class="p2">tunnel-group "ASA5506-X company" webvpn-attributes</P> <P class="p2">group-alias "ASA5506-X company" enable</P> <P class="p2">tunnel-group 2.2.2.98 type ipsec-l2l</P> <P class="p2">tunnel-group 2.2.2.98 general-attributes</P> <P class="p2">default-group-policy GroupPolicy_2.2.2.98</P> <P class="p2">tunnel-group 2.2.2.98 ipsec-attributes</P> <P class="p2">ikev1 pre-shared-key *****</P> <P class="p2">ikev2 remote-authentication pre-shared-key *****</P> <P class="p2">ikev2 local-authentication pre-shared-key *****</P> <P class="p2">!</P> <P class="p2">class-map inspection_default</P> <P class="p2">match default-inspection-traffic</P> <P class="p2">!</P> <P class="p2">!</P> <P class="p2">policy-map type inspect dns preset_dns_map</P> <P class="p2">parameters</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>message-length maximum client auto</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>message-length maximum 512</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>no tcp-inspection</P> <P class="p2">policy-map global_policy</P> <P class="p2">class inspection_default</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect dns preset_dns_map</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect ftp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect h323 h225</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect h323 ras</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect rsh</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect rtsp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sqlnet</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect skinny</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sunrpc</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect xdmcp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sip</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect netbios</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect tftp</P> <P class="p2"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect ip-options</P> <P class="p2">!</P> <P class="p2">service-policy global_policy global</P> <P class="p2">prompt hostname context</P> <P class="p2">no call-home reporting anonymous</P> <P class="p2">Cryptochecksum:e6f9318f1bbd2d0e7efbbfcf31235c35</P> <P class="p2">&nbsp;</P> <P class="p2">ASA Branche Office</P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">ASA Version 9.6(4)</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">hostname ASA5506X-ZTM</SPAN></P> <P class="p2"><SPAN class="s1">domain-name company.local</SPAN></P> <P class="p2"><SPAN class="s1">enable password $sha512$5000$q37wopLLpi3FeO/gR9nBag==$iiYKD04GYsEvzb6hpHu6QQ== pbkdf2</SPAN></P> <P class="p2"><SPAN class="s1">names</SPAN></P> <P class="p2"><SPAN class="s1">no mac-address auto</SPAN></P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/1</SPAN></P> <P class="p2"><SPAN class="s1">description WAN Interface Address company Zoetermeer</SPAN></P> <P class="p2"><SPAN class="s1">nameif outside</SPAN></P> <P class="p2"><SPAN class="s1">security-level 0</SPAN></P> <P class="p2"><SPAN class="s1">ip address 6.6.6.98 255.255.255.252</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/2</SPAN></P> <P class="p2"><SPAN class="s1">description LAN Interface company Zoetermeer</SPAN></P> <P class="p2"><SPAN class="s1">nameif inside</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">ip address 192.168.1.254 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/3</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/4</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/5</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/6</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/7</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface GigabitEthernet1/8</SPAN></P> <P class="p2"><SPAN class="s1">shutdown</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">security-level 100</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">interface Management1/1</SPAN></P> <P class="p2"><SPAN class="s1">management-only</SPAN></P> <P class="p2"><SPAN class="s1">no nameif</SPAN></P> <P class="p2"><SPAN class="s1">no security-level</SPAN></P> <P class="p2"><SPAN class="s1">no ip address</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">boot system disk0:/asa964-lfbff-k8.SPA</SPAN></P> <P class="p2"><SPAN class="s1">ftp mode passive</SPAN></P> <P class="p2"><SPAN class="s1">dns domain-lookup outside</SPAN></P> <P class="p2"><SPAN class="s1">dns domain-lookup inside</SPAN></P> <P class="p2"><SPAN class="s1">dns server-group DefaultDNS</SPAN></P> <P class="p2"><SPAN class="s1">name-server 8.8.8.8 inside</SPAN></P> <P class="p2"><SPAN class="s1">name-server 192.168.100.21</SPAN></P> <P class="p2"><SPAN class="s1">name-server 8.8.4.4</SPAN></P> <P class="p2"><SPAN class="s1">domain-name company.local</SPAN></P> <P class="p2"><SPAN class="s1">same-security-traffic permit inter-interface</SPAN></P> <P class="p2"><SPAN class="s1">same-security-traffic permit intra-interface</SPAN></P> <P class="p2"><SPAN class="s1">object network Internal_LAN</SPAN></P> <P class="p2"><SPAN class="s1">subnet 192.168.1.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">object network Waddinxveen</SPAN></P> <P class="p2"><SPAN class="s1">subnet 192.168.100.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">description Waddinxveen Subnet HQ</SPAN></P> <P class="p2"><SPAN class="s1">object network NETWORK_OBJ_192.168.1.0_24</SPAN></P> <P class="p2"><SPAN class="s1">subnet 192.168.1.0 255.255.255.0</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any echo</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit udp any any range 33434 33523</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any time-exceeded</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any source-quench</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any echo-reply</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended permit icmp any any unreachable</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_inside extended deny ip any any</SPAN></P> <P class="p2"><SPAN class="s1">access-list ICMPACL extended permit icmp any any</SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended permit tcp host 192.168.100.22 any eq smtp</SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended deny tcp any any eq smtp</SPAN></P> <P class="p2"><SPAN class="s1">access-list outbound extended permit ip any any</SPAN></P> <P class="p2"><SPAN class="s1">access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Waddinxveen</SPAN></P> <P class="p2"><SPAN class="s1">pager lines 24</SPAN></P> <P class="p2"><SPAN class="s1">logging asdm informational</SPAN></P> <P class="p2"><SPAN class="s1">mtu outside 1500</SPAN></P> <P class="p2"><SPAN class="s1">mtu inside 1500</SPAN></P> <P class="p2"><SPAN class="s1">icmp unreachable rate-limit 1 burst-size 1</SPAN></P> <P class="p2"><SPAN class="s1">asdm image disk0:/asdm-791-151.bin</SPAN></P> <P class="p2"><SPAN class="s1">no asdm history enable</SPAN></P> <P class="p2"><SPAN class="s1">arp timeout 14400</SPAN></P> <P class="p2"><SPAN class="s1">arp permit-nonconnected</SPAN></P> <P class="p2"><SPAN class="s1">arp rate-limit 8192</SPAN></P> <P class="p2"><SPAN class="s1">nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Waddinxveen Waddinxveen no-proxy-arp route-lookup</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">object network Internal_LAN</SPAN></P> <P class="p2"><SPAN class="s1">nat (inside,outside) dynamic interface</SPAN></P> <P class="p2"><SPAN class="s1">access-group outside_inside in interface outside</SPAN></P> <P class="p2"><SPAN class="s1">route outside 0.0.0.0 0.0.0.0 6.6.6.97 1</SPAN></P> <P class="p2"><SPAN class="s1">timeout xlate 3:00:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout pat-xlate 0:00:30</SPAN></P> <P class="p2"><SPAN class="s1">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</SPAN></P> <P class="p2"><SPAN class="s1">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</SPAN></P> <P class="p2"><SPAN class="s1">timeout tcp-proxy-reassembly 0:01:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout floating-conn 0:00:00</SPAN></P> <P class="p2"><SPAN class="s1">timeout conn-holddown 0:00:15</SPAN></P> <P class="p2"><SPAN class="s1">user-identity default-domain LOCAL</SPAN></P> <P class="p2"><SPAN class="s1">aaa authentication ssh console LOCAL</SPAN></P> <P class="p2"><SPAN class="s1">http server enable</SPAN></P> <P class="p2"><SPAN class="s1">http 192.168.1.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">http 192.168.100.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">no snmp-server location</SPAN></P> <P class="p2"><SPAN class="s1">no snmp-server contact</SPAN></P> <P class="p2"><SPAN class="s1">service sw-reset-button</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal DES</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp encryption des</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal 3DES</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp encryption aes</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES192</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec ikev2 ipsec-proposal AES256</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1">protocol esp integrity sha-1 md5</SPAN></P> <P class="p2"><SPAN class="s1">crypto ipsec security-association pmtu-aging infinite</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 match address outside_cryptomap</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set peer 62.177.202.94</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</SPAN></P> <P class="p2"><SPAN class="s1">crypto map outside_map interface outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ca trustpool policy</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 1</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1">integrity sha</SPAN></P> <P class="p2"><SPAN class="s1">group 5 2</SPAN></P> <P class="p2"><SPAN class="s1">prf sha</SPAN></P> <P class="p2"><SPAN class="s1">lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 10</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1">integrity sha</SPAN></P> <P class="p2"><SPAN class="s1">group 5 2</SPAN></P> <P class="p2"><SPAN class="s1">prf sha</SPAN></P> <P class="p2"><SPAN class="s1">lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 20</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes</SPAN></P> <P class="p2"><SPAN class="s1">integrity sha</SPAN></P> <P class="p2"><SPAN class="s1">group 5 2</SPAN></P> <P class="p2"><SPAN class="s1">prf sha</SPAN></P> <P class="p2"><SPAN class="s1">lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 30</SPAN></P> <P class="p2"><SPAN class="s1">encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1">integrity sha</SPAN></P> <P class="p2"><SPAN class="s1">group 5 2</SPAN></P> <P class="p2"><SPAN class="s1">prf sha</SPAN></P> <P class="p2"><SPAN class="s1">lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 policy 40</SPAN></P> <P class="p2"><SPAN class="s1">encryption des</SPAN></P> <P class="p2"><SPAN class="s1">integrity sha</SPAN></P> <P class="p2"><SPAN class="s1">group 5 2</SPAN></P> <P class="p2"><SPAN class="s1">prf sha</SPAN></P> <P class="p2"><SPAN class="s1">lifetime seconds 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev2 enable outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 enable outside</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 10</SPAN></P> <P class="p2"><SPAN class="s1">authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 20</SPAN></P> <P class="p2"><SPAN class="s1">authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-256</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 40</SPAN></P> <P class="p2"><SPAN class="s1">authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 50</SPAN></P> <P class="p2"><SPAN class="s1">authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes-192</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 70</SPAN></P> <P class="p2"><SPAN class="s1">authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 80</SPAN></P> <P class="p2"><SPAN class="s1">authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1">encryption aes</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 100</SPAN></P> <P class="p2"><SPAN class="s1">authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1">encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 110</SPAN></P> <P class="p2"><SPAN class="s1">authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1">encryption 3des</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 130</SPAN></P> <P class="p2"><SPAN class="s1">authentication pre-share</SPAN></P> <P class="p2"><SPAN class="s1">encryption des</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">crypto ikev1 policy 140</SPAN></P> <P class="p2"><SPAN class="s1">authentication rsa-sig</SPAN></P> <P class="p2"><SPAN class="s1">encryption des</SPAN></P> <P class="p2"><SPAN class="s1">hash sha</SPAN></P> <P class="p2"><SPAN class="s1">group 2</SPAN></P> <P class="p2"><SPAN class="s1">lifetime 86400</SPAN></P> <P class="p2"><SPAN class="s1">telnet timeout 5</SPAN></P> <P class="p2"><SPAN class="s1">no ssh stricthostkeycheck</SPAN></P> <P class="p2"><SPAN class="s1">ssh 192.168.1.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">ssh 192.168.100.0 255.255.255.0 inside</SPAN></P> <P class="p2"><SPAN class="s1">ssh timeout 5</SPAN></P> <P class="p2"><SPAN class="s1">ssh cipher encryption all</SPAN></P> <P class="p2"><SPAN class="s1">ssh key-exchange group dh-group1-sha1</SPAN></P> <P class="p2"><SPAN class="s1">console timeout 0</SPAN></P> <P class="p1">&nbsp;</P> <P class="p2"><SPAN class="s1">dhcpd address 192.168.1.100-192.168.1.225 inside</SPAN></P> <P class="p2"><SPAN class="s1">dhcpd dns 192.168.100.21 8.8.8.8 interface inside</SPAN></P> <P class="p2"><SPAN class="s1">dhcpd enable inside</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">threat-detection basic-threat</SPAN></P> <P class="p2"><SPAN class="s1">threat-detection statistics access-list</SPAN></P> <P class="p2"><SPAN class="s1">no threat-detection statistics tcp-intercept</SPAN></P> <P class="p2"><SPAN class="s1">group-policy GroupPolicy_62.177.202.94 internal</SPAN></P> <P class="p2"><SPAN class="s1">group-policy GroupPolicy_62.177.202.94 attributes</SPAN></P> <P class="p2"><SPAN class="s1">vpn-tunnel-protocol ikev1 ikev2</SPAN></P> <P class="p2"><SPAN class="s1">dynamic-access-policy-record DfltAccessPolicy</SPAN></P> <P class="p2"><SPAN class="s1">username admin password $sha512$5000$XJhfzyR/fvZjzfGSUQEdwA==$N5789JoSOE9DfuSXz6HO9Q== pbkdf2 privilege 15</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 type ipsec-l2l</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 general-attributes</SPAN></P> <P class="p2"><SPAN class="s1">default-group-policy GroupPolicy_62.177.202.94</SPAN></P> <P class="p2"><SPAN class="s1">tunnel-group 62.177.202.94 ipsec-attributes</SPAN></P> <P class="p2"><SPAN class="s1">ikev1 pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1">ikev2 remote-authentication pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1">ikev2 local-authentication pre-shared-key *****</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">class-map inspection_default</SPAN></P> <P class="p2"><SPAN class="s1">match default-inspection-traffic</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">policy-map type inspect dns preset_dns_map</SPAN></P> <P class="p2"><SPAN class="s1">parameters</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>message-length maximum client auto</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>message-length maximum 512</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>no tcp-inspection</SPAN></P> <P class="p2"><SPAN class="s1">policy-map global_policy</SPAN></P> <P class="p2"><SPAN class="s1">class inspection_default</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect dns preset_dns_map</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect ftp</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect h323 h225</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect h323 ras</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect rsh</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect rtsp</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sqlnet</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect skinny&nbsp;</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sunrpc</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect xdmcp</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect sip&nbsp;</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect netbios</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect tftp</SPAN></P> <P class="p2"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp;<SPAN>&nbsp;</SPAN></SPAN>inspect ip-options</SPAN></P> <P class="p2"><SPAN class="s1">!</SPAN></P> <P class="p2"><SPAN class="s1">service-policy global_policy global</SPAN></P> <P class="p2"><SPAN class="s1">prompt hostname context</SPAN></P> <P class="p2"><SPAN class="s1">no call-home reporting anonymous</SPAN></P> <P class="p2"><SPAN class="s1">Cryptochecksum:32c6a0af3e4f1738ea72b27db186581f</SPAN></P> Fri, 21 Feb 2020 15:23:46 GMT https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335562#M969875 Robbert Tol 2020-02-21T15:23:46Z Re: ASA 5506-X 9.6 Problems routing specific destinations over second WAN https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335584#M969876 <P>&nbsp;</P> <P><SPAN>"What a want to accomplish is that all trafic which is sent to destinations 10.0.0.0/8 and 192.200.0.0/16 is sent over the WAN_PON Interface.&nbsp;all other internet trafic must be sent to the normal WAN."</SPAN></P> <P>&nbsp;</P> <P><SPAN>As per the config file, this is already ok.</SPAN></P> <P>&nbsp;</P> <P>route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1 &gt;&gt;&gt;&gt; This tell the firewall that everyhing to WAN</P> <P>route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1 &gt;&gt;&gt;&gt; This tell the firewall that network 10 must be sent to WAN_PON</P> <P>route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.168.4 must be sent to VLAN10&nbsp;</SPAN></P> <P>route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.200&nbsp; must be sent to WAN_PON</SPAN></P> <P>&nbsp;</P> <P><SPAN>"On the Branch Office, which is connected by an site-to-site VPN with the HQ, i also want to be able to access those networks at the WAN_PON Interface at the HQ."</SPAN></P> <P><SPAN>&nbsp;Considering you have those network permitted on your VPN policy, then, you need to add routing on the Branch Office to sent those traffic over the VPN.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>-If I helped you somehow, please, rate it as useful.-</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Feb 2018 03:29:59 GMT https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335584#M969876 Flavio Miranda 2018-02-22T03:29:59Z Re: ASA 5506-X 9.6 Problems routing specific destinations over second WAN https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335746#M969877 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/178747">@Flavio Miranda</a> wrote:<BR /> <P>&nbsp;</P> <P><SPAN>"What a want to accomplish is that all trafic which is sent to destinations 10.0.0.0/8 and 192.200.0.0/16 is sent over the WAN_PON Interface.&nbsp;all other internet trafic must be sent to the normal WAN."</SPAN></P> <P>&nbsp;</P> <P><SPAN>As per the config file, this is already ok.</SPAN></P> <P>&nbsp;</P> <P>route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1 &gt;&gt;&gt;&gt; This tell the firewall that everyhing to WAN</P> <P>route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1 &gt;&gt;&gt;&gt; This tell the firewall that network 10 must be sent to WAN_PON</P> <P>route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.168.4 must be sent to VLAN10&nbsp;</SPAN></P> <P>route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1<SPAN>&gt;&gt;&gt;&gt; This tell the firewall that network 192.200&nbsp; must be sent to WAN_PON</SPAN></P> <P>&nbsp;</P> <P><SPAN>"On the Branch Office, which is connected by an site-to-site VPN with the HQ, i also want to be able to access those networks at the WAN_PON Interface at the HQ."</SPAN></P> <P><SPAN>&nbsp;Considering you have those network permitted on your VPN policy, then, you need to add routing on the Branch Office to sent those traffic over the VPN.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>-If I helped you somehow, please, rate it as useful.-</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P><SPAN>First, thanks for pointing me in the direction. The first thing is indeed working.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Now the second: Help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P> <P><SPAN>The problem is that i can't figure out how to permitt those networks on the VPN Policy and adding the route on the branch office to sent those traffic over the VPN</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Feb 2018 10:00:29 GMT https://community.cisco.com/t5/network-security/asa-5506-x-9-6-problems-routing-specific-destinations-over/m-p/3335746#M969877 Robbert Tol 2018-02-22T10:00:29Z