Cisco ASA 5550 and 5505 Site to Site VPN

IrishMann · ‎01-03-2019

Hello All.

Looking for some help with a S2S VPN tunel.

The Phase 1 is up but I am unable to pass traffic, cant seem to find the issue. Here are my configurations, any assistance would be helpful.

Here is my spoke ASA 5505 config.

ASA Version 8.2(5)
!
hostname BL-CS-5505-01
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network 192.168.1.0-inside_network
network-object 192.168.1.0 255.255.255.0
object-group network 10.11.2.0-remote_network
network-object 10.11.2.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_cryptomap extended permit ip object-group 192.168.1.0-inside_network object-group 10.11.2.0-remote_network
access-list inside_access_in extended permit tcp host 192.168.1.150 any eq ssh
access-list inside_nat0_outbound extended permit ip object-group 192.168.1.0-inside_network object-group 10.11.2.0-remote_network
access-list outside_access_in extended permit ip object-group 10.11.2.0-remote_network 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP host 10.11.2.150 eq echo host 192.168.1.150 eq echo inactive
access-list outside_access_in extended permit icmp host 10.11.2.150 host 192.168.1.150 echo inactive
access-list outside_access_in extended permit ip 10.11.0.0 255.255.255.0 any
access-list inside_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 10 192.168.0.0 255.255.255.0
nat (inside) 10 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 10.11.2.0 255.255.255.0 96.63.37.56 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 207.189.212.202 255.255.255.255 outside
http 192.168.1.150 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
timeout 500
frequency 3
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set tset esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs group1
crypto map outside_map0 1 set peer 207.189.212.202
crypto map outside_map0 1 set transform-set tset
crypto map outside_map0 1 set phase1-mode aggressive group1
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 207.189.212.202 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.11.2.150 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value inside_nat0_outbound
vpn-tunnel-protocol IPSec webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
username columbia password .IC6FYBZwDZiZZh8 encrypted privilege 15
tunnel-group 207.189.212.202 type ipsec-l2l
tunnel-group 207.189.212.202 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8c1775901311d5815e463d97237f907f
: end

Here is my Hub ASA 5550

ASA Version 9.1(7)16
!
hostname CS-AW-ASA5550-02
domain-name cic-totalcare.com
enable password QhxeRK/TwLjU2sKU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool CCHA_pool1 192.168.69.33-192.168.69.46 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 207.189.212.202 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.5 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif Management
security-level 50
ip address 10.11.2.250 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
!
time-range Enablefrom8amto4pm
periodic weekdays 8:00 to 15:59
!
banner login Access to this unit is strictly forbidden to the CIC technical staff only.
banner login
banner login All access and changes are logged for security and audit reasons.
banner asdm Access to this unit is strictly forbidden to the CIC technical staff only.
banner asdm
banner asdm All access and changes are logged for security and audit reasons.
boot system disk0:/asa917-16-k8.bin
boot system disk0:/asa845-k8.bin
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.11.2.150
name-server 10.11.2.65
domain-name cic-totalcare.com
same-security-traffic permit inter-interface
object network 172.21-net
subnet 172.21.0.0 255.255.0.0
object network 10-net
subnet 10.0.0.0 255.0.0.0
description 10.x.x.x
object service http_service
service tcp destination eq www
object service https_service
service tcp destination eq https
object network 172.16-net
subnet 172.16.0.0 255.255.0.0
description Columbia_InterimServers_Network
object network columbia_webserver
host 172.16.2.20
object network columbia_webserver-ftp
host 172.16.2.20
object network columbia-webserver-https
host 172.16.2.20
object network columbia-webserver-ssh
host 172.16.2.20
object network columbia-webserver-10200
host 172.16.2.20
object network columbia-webserver-10201
host 172.16.2.20
object network columbia-webserver-10202
host 172.16.2.20
object network columbia-webserver-10203
host 172.16.2.20
object network columbia-webserver-10204
host 172.16.2.20
object network columbia-webserver-10205
host 10.11.2.65
object network columbia-webserver-10206
host 172.16.2.20
object network columbia-webserver-10207
host 172.16.2.20
object network columbia-webserver-10208
host 172.16.2.20
object network columbia-webserver-10209
host 172.16.2.20
object network columbia-Linden_VPN-10152tcp
host 172.16.2.61
object network columbia-mail-external-dyn
host 172.16.2.15
object network int_mail_server
host 172.16.2.15
object network mail_server
host 74.112.42.245
object network server-net-172-16
subnet 172.16.0.0 255.255.0.0
object network columbia-webserver-dyn
host 172.16.2.20
object network columbia-vpnserver-dyn
host 172.16.2.61
object network columbia-mail-internal-dyn
host 172.16.2.30
object network AW_public_WLAN
subnet 172.20.0.0 255.255.0.0
description Ansliewood public wireless
object network MB_public_WLAN
subnet 172.22.0.0 255.255.0.0
description Maple Building public wireless
object network 172.26-net
subnet 172.26.0.0 255.255.0.0
description PG Public WiFi
object network 172.24-net
subnet 172.24.0.0 255.255.0.0
description LH-Public Wifi
object network 172.25-net-PH_PUB_WIFI
subnet 172.25.0.0 255.255.0.0
description PH PUBLIC WIFI
object network 172.23-net
subnet 172.23.0.0 255.255.0.0
description OH-WiFi-Public
object network 172.27-net
subnet 172.27.0.0 255.255.0.0
description AH Public Wifi
object network 172.28-net
subnet 172.28.0.0 255.255.0.0
description Cedar Building
object network 74.112.41.247
host 74.112.41.247
object network Hermes
host 10.11.2.156
description kolab server
object network CCHA_pool1_nonat
subnet 192.168.69.32 255.255.255.240
description Remote_to_Site_VPN_NO_NAT
object network 172.16-255.240-net
subnet 172.16.0.0 255.240.0.0
object network webmail-https
host 10.11.2.156
object network webmail-mail-587
host 10.11.2.186
object network webmail-smtp
host 10.11.2.186
object network PerfectMai--Outbound
host 10.11.2.186
object network eRequesterDev
host 10.11.2.111
object network CICACCTNG5
host 10.11.2.152
object network BarkLakeWebSvr
host 10.11.2.145
object network foxtrot
host 10.11.2.180
object network columbia-webchat-http
host 10.11.2.180
object network columbia-webchat-https
host 10.11.2.180
object network charlie
host 10.11.2.160
description cic production web server
object network columbia-production-web-http
host 10.11.2.160
object network columbia-production-web-https
host 10.11.2.160
object network Production-webserver
host 10.11.2.160
object network Production-webchat
host 10.11.2.180
object network cicvrmswebp1-https
host 10.11.2.170
object network cicvrmswebp1
host 10.11.2.170
object network BarkLakeWebServer
host 10.11.2.145
description BarkLake Web Server
object network 10.11.2.32
host 10.11.2.32
object network HTTPS-EXCHANGE
host 10.11.2.181
description MY MAIL
object network https-Exchange
host 10.11.2.181
object network smtp-Exchange
host 10.11.2.181
object network smtps-Exchange
host 10.11.2.181
object network PerfectMail
host 10.11.2.186
object network cicvmx1
host 10.11.2.181
object network cicvmx2
host 10.11.2.182
object network BarkLakeWeb
host 10.11.2.145
object network CICVDC1
host 10.11.2.150
object network CICVDC2
host 10.11.2.65
object network STUDENTDNS
host 10.11.102.60
object network cicvrmswebappp1-4430
host 10.11.2.170
object network 10.11.2.172
host 10.11.2.172
object network TestRMSConfModule
host 10.11.2.172
object network Longwood-DSL-VPN
host 172.16.2.61
object network ExchangeVMX1--Outside
host 10.11.2.181
object network Sage300Prod
host 10.11.2.131
object network Sage300ProdNAT
host 10.11.2.131
object network CICVADMINP1
host 10.11.2.154
object network NETWORK_OBJ_10.11.2.0_24
subnet 10.11.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network 10.11.2.155
host 10.11.2.155
description ftp from Ottawa
object network CICVFS1External
host 10.11.2.155
object network BLWebSvr443
host 10.11.2.145
object network ExchangeVMX2--Outside
host 10.11.2.182
object network NETWORK_OBJ_10.121.0.0_16
subnet 10.121.0.0 255.255.0.0
object-group service DM_INLINE_SERVICE_5
service-object tcp destination eq ftp
service-object udp destination eq tftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object tcp destination eq 10200
service-object tcp destination eq 10201
service-object tcp destination eq 10202
service-object tcp destination eq 10203
service-object tcp destination eq 10204
service-object tcp destination eq 10205
service-object tcp destination eq 10206
service-object tcp destination eq 10207
service-object tcp destination eq 10208
service-object tcp destination eq 10209
service-object tcp destination eq 8014
object-group service Columbia_Webserver
service-object object http_service
service-object object https_service
object-group network MailServers
network-object object PerfectMail
network-object object cicvmx1
network-object object cicvmx2
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
port-object eq 4430
object-group service DM_INLINE_TCP_8 tcp
port-object eq 587
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq ssh
port-object eq 12322
port-object eq 2222
port-object eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq 4443
port-object eq 8080
port-object eq https
object-group network Internal_DNS_Servers
network-object host 10.11.102.60
network-object host 10.11.2.150
network-object host 10.11.2.65
network-object host 10.11.2.60
object-group service DM_INLINE_TCP_2 tcp
port-object eq 587
port-object eq smtp
object-group network DM_INLINE_NETWORK_1
network-object 10.11.0.0 255.255.255.0
network-object 10.11.2.0 255.255.255.0
network-object 10.10.16.0 255.255.255.0
network-object 10.12.0.0 255.255.255.0
network-object 10.11.30.0 255.255.255.0
object-group network OttawaFTPAccess
description eSchool
network-object host 104.200.15.204
network-object host 23.239.28.28
network-object host 23.239.38.28
network-object host 52.0.118.224
network-object host 52.3.100.241
network-object host 99.249.188.21

object-group network BarkLake
network-object 192.168.1.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list split_tunnel_list standard permit 10.0.0.0 255.0.0.0
access-list split_tunnel_list standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.11.2.0 255.255.255.0 10.41.0.0 255.255.255.0
access-list insode_access_out extended permit tcp object-group MailServers any eq smtp
access-list outside_access_in extended permit tcp any object PerfectMail object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object columbia-production-web-http eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any host 172.16.2.20
access-list outside_access_in extended permit tcp any object foxtrot object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp object-group OttawaFTPAccess object 10.11.2.155 eq ftp
access-list outside_access_in extended permit tcp any host 10.11.2.170 object-group DM_INLINE_TCP_6
access-list outside_access_in extended permit tcp any object charlie object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit tcp any object Hermes eq https
access-list outside_access_in extended permit tcp any object BarkLakeWebServer object-group DM_INLINE_TCP_7
access-list outside_access_in extended permit tcp any object HTTPS-EXCHANGE object-group DM_INLINE_TCP_8
access-list outside_access_in extended permit tcp any object 10.11.2.32 eq ssh
access-list outside_access_in extended permit tcp any host 10.11.2.172 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object eRequesterDev eq www
access-list outside_access_in extended permit tcp any object Sage300Prod eq 3389
access-list outside_access_in extended permit tcp any host 172.16.2.61 eq 10155
access-list global_mpc extended permit ip any any
access-list inside_access_out extended permit tcp object-group MailServers any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit tcp object-group Internal_DNS_Servers any eq domain
access-list inside_access_out extended deny tcp any any eq domain
access-list inside_access_out extended permit ip any any
access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 10.11.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.11.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_4 extended permit ip 10.11.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_5 extended permit ip 10.11.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 10.11.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging emblem
logging list tcp-conn-string level emergencies
logging list tcp-conn-string message 302013-302018
logging list My_Critical_Messages level critical
logging list My_Critical_Messages message 611101-611323
logging buffer-size 10000
logging console My_Critical_Messages
logging buffered debugging
logging trap errors
logging asdm debugging
logging mail My_Critical_Messages
logging from-address asa5520@cic-totalcare.com
logging recipient-address ctennyson@cic-totalcare.com level emergencies
logging host inside 10.11.2.168
logging debug-trace
flow-export destination inside 10.11.2.168 2055
flow-export template timeout-rate 1
mtu outside 1500
mtu inside 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static CCHA_pool1_nonat CCHA_pool1_nonat destination static 10-net 10-net no-proxy-arp route-lookup
nat (outside,inside) source static CCHA_pool1_nonat CCHA_pool1_nonat destination static 172.16-255.240-net 172.16-255.240-net no-proxy-arp route-lookup
nat (outside,outside) source static BarkLake BarkLake destination static BarkLake BarkLake
nat (inside,outside) source static NETWORK_OBJ_10.11.2.0_24 NETWORK_OBJ_10.11.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
!
object network columbia_webserver
nat (inside,outside) static 207.189.212.213 service tcp www www
object network columbia_webserver-ftp
nat (inside,outside) static 207.189.212.213 service tcp ftp ftp
object network columbia-webserver-https
nat (inside,outside) static 207.189.212.213 service tcp https https
object network columbia-webserver-ssh
nat (inside,outside) static 207.189.212.213 service tcp ssh ssh
object network columbia-webserver-10200
nat (inside,outside) static 207.189.212.213 service tcp 10200 10200
object network columbia-webserver-10201
nat (inside,outside) static 207.189.212.213 service tcp 10201 10201
object network columbia-webserver-10202
nat (inside,outside) static 207.189.212.213 service tcp 10202 10202
object network columbia-webserver-10203
nat (inside,outside) static 207.189.212.213 service tcp 10203 10203
object network columbia-webserver-10204
nat (inside,outside) static 207.189.212.213 service tcp 10204 10204
object network columbia-webserver-10205
nat (inside,outside) static 207.189.212.213 service tcp ssh 10205
object network columbia-webserver-10206
nat (inside,outside) static 207.189.212.213 service tcp 10206 10206
object network columbia-webserver-10207
nat (inside,outside) static 207.189.212.213 service tcp 10207 10207
object network columbia-webserver-10208
nat (inside,outside) static 207.189.212.213 service tcp 10208 10208
object network columbia-webserver-10209
nat (inside,outside) static 207.189.212.213 service tcp 10209 10209
object network columbia-mail-external-dyn
nat (inside,outside) dynamic 207.189.212.215
object network server-net-172-16
nat (inside,outside) dynamic interface
object network columbia-webserver-dyn
nat (inside,outside) dynamic 207.189.212.213
object network columbia-vpnserver-dyn
nat (inside,outside) dynamic 207.189.212.216
object network columbia-mail-internal-dyn
nat (inside,outside) dynamic 207.189.212.214
object network webmail-https
nat (inside,outside) static 207.189.212.217 service tcp https https
object network webmail-mail-587
nat (inside,outside) static 207.189.212.217 service tcp 587 587
object network webmail-smtp
nat (inside,outside) static 207.189.212.217 service tcp smtp smtp
object network PerfectMai--Outbound
nat (inside,outside) dynamic 207.189.212.217
object network eRequesterDev
nat (inside,outside) static 207.189.212.221 service tcp www www
object network BarkLakeWebSvr
nat (inside,outside) static 207.189.212.216 service tcp www www
object network columbia-webchat-http
nat (inside,outside) static 207.189.212.220 service tcp www www
object network columbia-webchat-https
nat (inside,outside) static 207.189.212.220 service tcp https https
object network columbia-production-web-http
nat (inside,outside) static 207.189.212.222 service tcp www www
object network columbia-production-web-https
nat (inside,outside) static 207.189.212.222 service tcp https https
object network Production-webserver
nat (inside,outside) dynamic 207.189.212.222
object network Production-webchat
nat (inside,outside) dynamic 207.189.212.220
object network cicvrmswebp1-https
nat (inside,outside) static 207.189.212.218 service tcp https https
object network cicvrmswebp1
nat (inside,outside) dynamic 207.189.212.218
object network 10.11.2.32
nat (inside,outside) static 207.189.212.216 service tcp ssh ssh
object network https-Exchange
nat (inside,outside) static 207.189.212.219 service tcp https https
object network BarkLakeWeb
nat (inside,outside) static 207.189.212.216 service tcp ssh 2222
object network cicvrmswebappp1-4430
nat (inside,outside) static 207.189.212.218 service tcp 4430 4430
object network 10.11.2.172
nat (inside,outside) static 207.189.212.217 service tcp 4443 4443
object network TestRMSConfModule
nat (inside,outside) static 207.189.212.217 service tcp 8080 8080
object network Longwood-DSL-VPN
nat (inside,outside) static 207.189.212.216 service tcp 10155 10155
object network ExchangeVMX1--Outside
nat (inside,outside) dynamic 207.189.212.217 dns
object network Sage300ProdNAT
nat (inside,outside) static 207.189.212.216 service tcp 3389 9000
object network CICVADMINP1
nat (inside,outside) dynamic 207.189.212.221
object network CICVFS1External
nat (inside,outside) static 207.189.212.214 service tcp ftp ftp
object network BLWebSvr443
nat (inside,outside) static 207.189.212.216 service tcp https https
object network ExchangeVMX2--Outside
nat (inside,outside) dynamic 207.189.212.217 dns
!
nat (inside,outside) after-auto source dynamic AW_public_WLAN interface description 172.20.x.x
nat (inside,outside) after-auto source dynamic MB_public_WLAN interface description 172.22.x.x
nat (inside,outside) after-auto source dynamic 10-net interface description 10.x.x.x
nat (inside,outside) after-auto source dynamic 172.16-net interface inactive
nat (inside,outside) after-auto source dynamic 172.21-net interface description 172.21.x.x
nat (inside,outside) after-auto source dynamic 172.24-net interface description LH-Public Wifi
nat (inside,outside) after-auto source dynamic 172.23-net interface description OH-Public Wifi
nat (inside,outside) after-auto source dynamic 172.25-net-PH_PUB_WIFI interface description LH-Public Wifi
nat (inside,outside) after-auto source dynamic 172.27-net interface description AH- Pub Wifi
nat (inside,outside) after-auto source dynamic 172.28-net interface description CB- Pub Wifi
nat (inside,outside) after-auto source dynamic 172.26-net interface description 172.21.x.x
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 207.189.212.201 1
route inside 10.0.0.0 255.0.0.0 10.0.1.6 1
route outside 10.70.4.0 255.255.255.0 207.189.212.201 1
route inside 172.16.0.0 255.255.0.0 10.0.1.6 1
route inside 172.20.0.0 255.255.0.0 10.0.1.6 1
route inside 172.21.0.0 255.255.0.0 10.0.1.6 1
route inside 172.22.0.0 255.255.0.0 10.0.1.6 1
route inside 172.23.0.0 255.255.0.0 10.0.1.6 1
route inside 172.24.0.0 255.255.0.0 10.0.1.6 1
route inside 172.25.0.0 255.255.0.0 10.0.1.6 1
route inside 172.26.0.0 255.255.0.0 10.0.1.6 1
route inside 172.27.0.0 255.255.0.0 10.0.1.6 1
route inside 172.28.0.0 255.255.0.0 10.0.1.6 1
route outside 192.168.1.0 255.255.255.0 207.189.212.201 1
route outside 192.168.69.32 255.255.255.240 207.189.212.201 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable 4443
http 10.0.1.0 255.255.255.0 inside
http 192.168.69.0 255.255.255.0 inside
http 69.158.188.182 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 Management
http 10.11.0.25 255.255.255.255 inside
http 10.11.0.130 255.255.255.255 inside
snmp-server group Authentication&Encryption v3 priv
snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server user ctennyson No_Authentication_No_Encryption v3
snmp-server host inside 10.11.2.109 community *****
snmp-server host inside 10.11.0.109 trap community *****
snmp-server host inside 10.11.0.25 community *****
snmp-server host inside 10.11.0.130 community *****
snmp-server location AW
snmp-server contact Colin Tennyson
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
crypto ipsec ikev1 transform-set STRONG esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map ccha_dynmap1 10 set ikev1 transform-set STRONG
crypto dynamic-map DYNAMIC-S2S 1 set pfs
crypto dynamic-map DYNAMIC-S2S 1 set ikev2 ipsec-proposal AES256
crypto dynamic-map DYNAMIC-S2S 1 set reverse-route
crypto dynamic-map DYNAMIC-S2S 10 set pfs group1
crypto dynamic-map DYNAMIC-S2S 10 set ikev1 transform-set tset
crypto dynamic-map DYNAMIC-S2S 10 set security-association lifetime kilobytes unlimited
crypto map CCHA_VPN 1 match address outside_cryptomap
crypto map CCHA_VPN 1 set pfs
crypto map CCHA_VPN 1 set peer 72.38.201.213
crypto map CCHA_VPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CCHA_VPN 2 match address outside_cryptomap_1
crypto map CCHA_VPN 2 set peer 63.250.109.86
crypto map CCHA_VPN 2 set ikev1 transform-set ESP-3DES-SHA
crypto map CCHA_VPN 2 set ikev2 pre-shared-key *****
crypto map CCHA_VPN 2 set security-association lifetime kilobytes unlimited
crypto map CCHA_VPN 3 match address outside_cryptomap_2
crypto map CCHA_VPN 3 set peer 208.114.153.107
crypto map CCHA_VPN 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CCHA_VPN 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map CCHA_VPN 4 match address outside_cryptomap_3
crypto map CCHA_VPN 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CCHA_VPN 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map CCHA_VPN 5 match address outside_cryptomap_4
crypto map CCHA_VPN 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CCHA_VPN 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map CCHA_VPN 6 match address outside_cryptomap_5
crypto map CCHA_VPN 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CCHA_VPN 6 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map CCHA_VPN 65535 ipsec-isakmp dynamic ccha_dynmap1
crypto map VPNMAP 1 match address outside_cryptomap_6
crypto map VPNMAP 1 set pfs group1
crypto map VPNMAP 1 set peer 96.63.37.56
crypto map VPNMAP 1 set ikev1 transform-set tset
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNAMIC-S2S
crypto map VPNMAP interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 208.72.124.18 255.255.255.255 outside
ssh 99.232.228.79 255.255.255.255 outside
ssh 208.124.241.30 255.255.255.255 outside
ssh 209.171.88.98 255.255.255.255 outside
ssh 184.147.154.163 255.255.255.255 outside
ssh 184.147.154.102 255.255.255.255 outside
ssh 99.224.59.246 255.255.255.255 outside
ssh 206.126.83.43 255.255.255.255 outside
ssh 10.11.0.0 255.255.255.0 inside
ssh 10.10.16.0 255.255.255.0 inside
ssh 10.11.0.0 255.255.255.0 Management
ssh 10.11.2.0 255.255.255.0 Management
ssh 192.168.69.0 255.255.255.0 Management
ssh 192.168.69.33 255.255.255.255 Management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Management
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.11.2.25 source inside
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value split_tunnel_list
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_63.250.109.86 internal
group-policy GroupPolicy_63.250.109.86 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_96.63.37.56 internal
group-policy GroupPolicy_96.63.37.56 attributes
vpn-filter value outside_cryptomap
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_0.0.0.0 internal
group-policy GroupPolicy_0.0.0.0 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy G-P-U-CCHA internal
group-policy G-P-U-CCHA attributes
banner value This is a private network of Columbia College and is for authorized users only.
vpn-idle-timeout 1440
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2
password-storage disable
group-lock value G-T-U-CCHA
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value CCHA_pool1
username pdevine password TVTwnwDfiesNRVeL encrypted privilege 0
username aurata password Iz2fG3syQnrLTk87 encrypted
username jle password B3iyH843DkQbaE.2 encrypted privilege 0
username wangurus password g1UnTocL6gAn/G9E encrypted privilege 15
username ctennyson password GN86pxfbpN2iHCbV encrypted privilege 15
username dmcmahon password K2XxgdHtIRieqEeQ encrypted privilege 0
username columbia password oCn8G5cI16Ac5Ax6 encrypted privilege 15
username msmith password IY5ydrWW8cIjDsYo encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group G-T-U-CCHA type remote-access
tunnel-group G-T-U-CCHA general-attributes
default-group-policy G-P-U-CCHA
tunnel-group G-T-U-CCHA ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 63.250.109.86 type ipsec-l2l
tunnel-group 63.250.109.86 general-attributes
default-group-policy GroupPolicy_63.250.109.86
tunnel-group 63.250.109.86 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 96.63.37.56 type ipsec-l2l
tunnel-group 96.63.37.56 general-attributes
default-group-policy GroupPolicy_96.63.37.56
tunnel-group 96.63.37.56 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
class-map http-traffic
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
class http-traffic
class class-default
user-statistics accounting
flow-export event-type all destination 10.11.2.168
!
service-policy global_policy global
smtp-server 10.11.2.181 10.11.2.182
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:7d0732d43327b0a191d6c338d678be56
: end