09-12-2013 07:42 AM - edited 03-11-2019 07:37 PM
I am pretty new to configuring ASAs.
I have a Site-to-Site VPN setup between two ASA 5505s.
The Tunnel is up and one side is sending but not receiving while the other is receiving but not sendind under the VPN monitoring tab.
The ASA that is receiving is our Main Office and it is connected to several other ASAs that are working as expected.
The setup for this is pretty basic. Cable modem with Static IP to ASA. No switches.
This is the third day I've been looking at this trying every troubleshooting step I can follow on the cisco forums.
ANY help or direction would be greatly appreciated.
This is the running config of the new ASA
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password jkrpsRYtu8nSWLEb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 trinity
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.165 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 68.105.28.16
name-server 68.105.29.16
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0
access-list NO-NAT extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0
access-list 111 extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.168.245.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer xx.xx.xx.170
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.5-192.168.3.254 inside
dhcpd dns 68.105.28.16 68.105.29.16 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group xx.xx.xx.170 type ipsec-l2l
tunnel-group xx.xx.xx.170 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0813c1c5c45fef815e91cd7aebab0906
: end
asdm location trinity 255.255.255.0 inside
no asdm history enable
Let me know if I need to post the Main Office's running-config.
Thanks,
Mike
Solved! Go to Solution.
09-12-2013 10:40 AM
Hi,
I only just noticed that you had posted about this same problem on the VPN section also.
What I noticed in those configurations is that you have multiple L2L VPN configurations that use the same ACL
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Network C
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer Network D Network E
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs group1
crypto map outside_map 7 set peer Network J
crypto map outside_map 7 set transform-set ESP-3DES-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs group1
crypto map outside_map 8 set peer Network K
crypto map outside_map 8 set transform-set ESP-3DES-SHA
Having 4x L2L VPN configurations with same parameters is something that is very strange in this configurations. I would suggest remove any useless configurations from Main Office.
It might well be the source of the problem. I have not seen any other problems in the configurations.
- Jouni
09-12-2013 07:49 AM
Hi,
I can't see any problems with this ASA configuration so the problem is most likely on the Main Office ASA.
What you could try to do on the Main Office ASA is run the following command
packet-tracer input icmp 192.168.1.100 8 0 192.168.3.100
In the above command replace the with the actual name of the interface that has the network 192.168.1.0/24 behind it.
Run the "packet-tracer" command twice and copy/paste the second output here completely
This might be related to NAT on the Main Office ASA.
- Jouni
09-12-2013 07:56 AM
Thank you for the quick response Jouni!
Result of the command: "packet-tracer input inside icmp 192.168.1.100 8 0 192.168.3.100"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])
translate_hits = 29541, untranslate_hits = 553
Additional Information:
Dynamic translate 192.168.1.100/0 to xx.xx.xx.170/28936 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 40508, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
09-12-2013 08:00 AM
Hi,
You are missing NAT0 configuration atleast on the Main Office for the traffic between networks 192.168.1.0/24 and 192.168.3.0/24
So you probably have some existing NAT0 configuration on the Main Office that looks like this
nat (inside) 0 access-list
Now use the existing ACL name found in your configuration and add
access-list
Or confirm if there is an existing line that might have somy typo and correct it
Then you can try to test the connections again or run the "packet-tracer" again.
- Jouni
09-12-2013 08:17 AM
Pardon my ignorance Jouni, but I think I have that statement already entered.
Then again I did try 100 different things with NAT. I will show the part of the running config dealing with ACLs.
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging mail debugging
mtu inside 1500
mtu outside 1500
ip audit name IP_Attack attack action drop
ip audit name IP_Information info action alarm
ip audit interface inside IP_Information
ip audit interface inside IP_Attack
ip audit interface outside IP_Information
ip audit interface outside IP_Attack
ip audit signature 2000 disable
ip audit signature 2004 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.169 1
09-12-2013 08:22 AM
Hi,
Since you say that the L2L VPN is up but is not passing traffic in both directions it would seem to indicate that the ACL in the "crypto map" statement is configured correct between the Main Office and the New Site.
However, in the above configurations I cant see this configuration that would configure NAT0
nat (inside) 0 access-list inside_nat0_outbound
The "packet-tracer" output that you posted (if it was from the Main Office ASA) told us that the traffic was hitting the Dynamic PAT translation on the ASA rather than a NAT0 configuration which it should have for the L2L VPN to work between the 2 sites.
This is the Phase where the traffic hits the wrong NAT rule/configuration
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])
translate_hits = 29541, untranslate_hits = 553
Additional Information:
Dynamic translate 192.168.1.100/0 to xx.xx.xx.170/28936 using netmask 255.255.255.255
- Jouni
09-12-2013 08:56 AM
I added nat (inside) 0 access-list inside_nat0_outbound then re ran packet tracer from the MAIN OFFICE
Result of the command: "packet-tracer input inside icmp 192.168.1.100 8 0 192.168.3.100"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.1.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
NAT exempt
translate_hits = 7, untranslate_hits = 7
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])
translate_hits = 32370, untranslate_hits = 800
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-12-2013 09:01 AM
Hi,
Did you issue the same command twice and copy/paste the second output?
But from the above output we can already see that the correct NAT rule is matched and that the traffic matches VPN configurations.
Have you tested actual traffic between the sites.
- Jouni
09-12-2013 09:14 AM
Yes, i actually ran it three times. Then re ran it twice after you posted with same results. I have tried pinging across the network and tried connecting to a UNC path across the network with no luck. VPN connection monitor still showing traffic leaving (TX) but not receiving (RX) on the new ASA. and vice versa receiving but not sending on the main office. Though the 3 other active connections are sending and receiving.
09-12-2013 09:43 AM
I would point to this bug :
Configuration speaking we are good.
09-12-2013 10:04 AM
Hi,
I am not sure if the BugID that Julio mentions is the same I ran into a year ago but in that case the ASA suffering from the bug was a Failover pair and a simple change of the Active device corrected the problem.
I would imagine that reboot would have also done the trick.
So if at all possible, I would suggest rebooting the ASA or if you have a Failover changing the Active device at Main Office. Naturally this could be done at a time where there is minimal or no users on the network.
- Jouni
09-12-2013 10:32 AM
I just rebooted both the Main office and the new site ASA.
when the main office came back online, it instantly created 4 vpn tunnels that would receive but not send. I sent the command
nat (inside) 0 access-list inside_nat0_outbound
and they all started sending except for the new site. new site is still only receiving on the main site.
09-12-2013 10:40 AM
Hi,
I only just noticed that you had posted about this same problem on the VPN section also.
What I noticed in those configurations is that you have multiple L2L VPN configurations that use the same ACL
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Network C
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer Network D Network E
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set pfs group1
crypto map outside_map 7 set peer Network J
crypto map outside_map 7 set transform-set ESP-3DES-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs group1
crypto map outside_map 8 set peer Network K
crypto map outside_map 8 set transform-set ESP-3DES-SHA
Having 4x L2L VPN configurations with same parameters is something that is very strange in this configurations. I would suggest remove any useless configurations from Main Office.
It might well be the source of the problem. I have not seen any other problems in the configurations.
- Jouni
09-12-2013 10:45 AM
Hi,
Seems to me you could remove the VPN configurations with Priority 2, 7, 8
They seem to be identical to the one with the Priority 1 to me.
- Jouni
09-12-2013 10:57 AM
I didn't even notice that...
I have cleared out all other entries I believe.
This is the new running config of the Main office.
Should I reboot the ASA since clearing the other entries?
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password jkrpsRYtu8nSWLEb encrypted
passwd jkrpsRYtu8nSWLEb encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.170 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging mail debugging
mtu inside 1500
mtu outside 1500
ip audit name IP_Information info action alarm
ip audit name IP_Attack attack action drop
ip audit interface inside IP_Information
ip audit interface inside IP_Attack
ip audit interface outside IP_Information
ip audit interface outside IP_Attack
ip audit signature 2000 disable
ip audit signature 2004 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.172.13.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer xx.xx.xx.184
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer xx.xx.xx.10
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer xx.xx.xx.197
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 6 match address outside_6_cryptomap
crypto map outside_map 6 set pfs group1
crypto map outside_map 6 set peer xx.xx.xx.106
crypto map outside_map 6 set transform-set ESP-3DES-SHA
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs group1
crypto map outside_map 8 set peer xx.xx.xx.165
crypto map outside_map 8 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username sparkhound password L7SKGsuWrrh9fFyb encrypted privilege 15
username admin password ew9az97L9PJabfIp encrypted privilege 15
tunnel-group xx.xx.xx.184 type ipsec-l2l
tunnel-group xx.xx.xx.184 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.10 type ipsec-l2l
tunnel-group xx.xx.xx.10 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.197 type ipsec-l2l
tunnel-group xx.xx.xx.197 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.106 type ipsec-l2l
tunnel-group xx.xx.xx.106 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.165 type ipsec-l2l
tunnel-group xx.xx.xx.165 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c791e5e7717d3f94a39f8e2e4459ba23
: end
no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide