topic Re: Advice on config in Network Security https://community.cisco.com/t5/network-security/advice-on-config/m-p/1093046#M975136 <HTML><HEAD></HEAD><BODY><P>ASA Version 7.1(2)</P><P>!</P><P>hostname ciscoasa</P><P>domain-name iesve.com</P><P>enable password encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.x.x local ip 255.255.255.248</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.12.1.1 255.255.0.0</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P> management-only</P><P>!</P><P>passwd encrypted</P><P>boot system disk0:/asa712-k8.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name iesve.com</P><P>same-security-traffic permit inter-interface</P><P>access-list inside_nat0_outbound extended permit ip 10.12.0.0 255.255.0.0 10.10.</P><P>0.0 255.255.0.0</P><P>access-list outside_cryptomap_20 extended permit ip 10.12.0.0 255.255.0.0 10.10.</P><P>0.0 255.255.0.0</P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffer-size 8192</P><P>logging buffered debugging</P><P>logging trap debugging</P><P>logging from-address <A href="mailto:ciscoboston@iesve.com">ciscoboston@iesve.com</A></P><P>logging recipient-address <A href="mailto:colin.mcadam@iesve.com">colin.mcadam@iesve.com</A> level errors</P><P>logging host inside 10.12.1.3</P><P>logging permit-hostdown</P><P>logging message 100000 level debugging</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>asdm image disk0:/asdm-512.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 101 interface</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>route outside 0.0.0.0 0.0.0.0 gateway address 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>http server enable</P><P>http 10.12.0.0 255.255.0.0 inside</P><P>http 192.168.1.0 255.255.255.0 management</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto map outside_map 20 match address outside_cryptomap_20</P><P>crypto map outside_map 20 set pfs</P><P>crypto map outside_map 20 set peer x.x.x.x remote ip</P><P>crypto map outside_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 20 set security-association lifetime seconds 82800</P><P>crypto map outside_map 20 set security-association lifetime kilobytes 2000000000</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp policy 30 authentication pre-share</P><P>isakmp policy 30 encryption 3des</P><P>isakmp policy 30 hash sha</P><P>isakmp policy 30 group 2</P><P>isakmp policy 30 lifetime 86400</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> isakmp keepalive threshold 60 retry 10</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> isakmp keepalive threshold 60 retry 10</P><P>tunnel-group 194.159.138.162 type ipsec-l2l</P><P>tunnel-group 194.159.138.162 ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 60 retry 10</P><P>telnet 10.12.1.0 255.255.255.0 inside</P><P>telnet timeout 15</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access management</P><P>dhcpd address 10.12.1.2-10.12.1.152 inside</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd dns 10.10.1.253 10.10.1.252</P><P>dhcpd wins 10.10.1.253</P><P>dhcpd lease 691200</P><P>dhcpd ping_timeout 500</P><P>dhcpd domain iesve.com</P><P>dhcpd option 252 ascii xxxxxxxxx</P><P>dhcpd enable inside</P><P>dhcpd enable management</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P>!</P><P>service-policy global_policy global</P><P>smtp-server 10.10.1.4</P><P>Cryptochecksum:xxx</P><P>: end</P></BODY></HTML> Fri, 05 Dec 2008 11:04:36 GMT cmgowcity 2008-12-05T11:04:36Z Advice on config https://community.cisco.com/t5/network-security/advice-on-config/m-p/1093045#M975134 <P>Could one of you excellent experts please cast your eye over the below config please. We have a site to site from this ASA back to our ISA server. It works but every day it goes down while the SAs are renogtiated and recently users are having to ping a host on the remote network before traffic will pass throught the tunnel. The tunnel doesn't drop ever and once they ping everything is ok...</P><P></P><P>Any advice is much appreciated</P><P></P><P>Thanks</P><P></P><P>Colin</P><P></P> Fri, 21 Feb 2020 11:09:07 GMT https://community.cisco.com/t5/network-security/advice-on-config/m-p/1093045#M975134 cmgowcity 2020-02-21T11:09:07Z Re: Advice on config https://community.cisco.com/t5/network-security/advice-on-config/m-p/1093046#M975136 <HTML><HEAD></HEAD><BODY><P>ASA Version 7.1(2)</P><P>!</P><P>hostname ciscoasa</P><P>domain-name iesve.com</P><P>enable password encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address x.x.x.x local ip 255.255.255.248</P><P>!</P><P>interface Ethernet0/1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 10.12.1.1 255.255.0.0</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface Management0/0</P><P> shutdown</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P> management-only</P><P>!</P><P>passwd encrypted</P><P>boot system disk0:/asa712-k8.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns server-group DefaultDNS</P><P> domain-name iesve.com</P><P>same-security-traffic permit inter-interface</P><P>access-list inside_nat0_outbound extended permit ip 10.12.0.0 255.255.0.0 10.10.</P><P>0.0 255.255.0.0</P><P>access-list outside_cryptomap_20 extended permit ip 10.12.0.0 255.255.0.0 10.10.</P><P>0.0 255.255.0.0</P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging buffer-size 8192</P><P>logging buffered debugging</P><P>logging trap debugging</P><P>logging from-address <A href="mailto:ciscoboston@iesve.com">ciscoboston@iesve.com</A></P><P>logging recipient-address <A href="mailto:colin.mcadam@iesve.com">colin.mcadam@iesve.com</A> level errors</P><P>logging host inside 10.12.1.3</P><P>logging permit-hostdown</P><P>logging message 100000 level debugging</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu management 1500</P><P>asdm image disk0:/asdm-512.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 101 interface</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 101 0.0.0.0 0.0.0.0</P><P>route outside 0.0.0.0 0.0.0.0 gateway address 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>http server enable</P><P>http 10.12.0.0 255.255.0.0 inside</P><P>http 192.168.1.0 255.255.255.0 management</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto map outside_map 20 match address outside_cryptomap_20</P><P>crypto map outside_map 20 set pfs</P><P>crypto map outside_map 20 set peer x.x.x.x remote ip</P><P>crypto map outside_map 20 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map 20 set security-association lifetime seconds 82800</P><P>crypto map outside_map 20 set security-association lifetime kilobytes 2000000000</P><P>crypto map outside_map interface outside</P><P>isakmp enable outside</P><P>isakmp policy 30 authentication pre-share</P><P>isakmp policy 30 encryption 3des</P><P>isakmp policy 30 hash sha</P><P>isakmp policy 30 group 2</P><P>isakmp policy 30 lifetime 86400</P><P>tunnel-group DefaultL2LGroup ipsec-attributes</P><P> isakmp keepalive threshold 60 retry 10</P><P>tunnel-group DefaultRAGroup ipsec-attributes</P><P> isakmp keepalive threshold 60 retry 10</P><P>tunnel-group 194.159.138.162 type ipsec-l2l</P><P>tunnel-group 194.159.138.162 ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive threshold 60 retry 10</P><P>telnet 10.12.1.0 255.255.255.0 inside</P><P>telnet timeout 15</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access management</P><P>dhcpd address 10.12.1.2-10.12.1.152 inside</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>dhcpd dns 10.10.1.253 10.10.1.252</P><P>dhcpd wins 10.10.1.253</P><P>dhcpd lease 691200</P><P>dhcpd ping_timeout 500</P><P>dhcpd domain iesve.com</P><P>dhcpd option 252 ascii xxxxxxxxx</P><P>dhcpd enable inside</P><P>dhcpd enable management</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P>!</P><P>service-policy global_policy global</P><P>smtp-server 10.10.1.4</P><P>Cryptochecksum:xxx</P><P>: end</P></BODY></HTML> Fri, 05 Dec 2008 11:04:36 GMT https://community.cisco.com/t5/network-security/advice-on-config/m-p/1093046#M975136 cmgowcity 2008-12-05T11:04:36Z