Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
7
Replies

Cisco ASA Policy-Based Routing

Robbert Tol
Level 1
Level 1

‎02-21-2018 10:55 AM - edited ‎02-21-2020 07:23 AM

Hi There,

 

I have an urgent problem, on which i cannot figure out how to deal with it.

 

I have an asa5506-X with two internal VLAN's (VLAN 10, VLAN 20 Guest Network)

I Have one normal WAN Connection to the internet. I also have an special 2nd intranet connection (WAN) to an dealer network.

On the dealer network there are some subnets (example 10.39.10.0/24, 192.200.0.0/24 and 10.150.1.0/24) which has some servers which i have to been able to reach.

 

In other words;

When an computer in the normal production VLAN10 wants to do normal internet browsing (except the dealernetwork subnets), traffic has to been sent over WAN1. If one of the dealer networks is been addressed, the traffic should flow over WAN2.

 

ASA Config

V9.6.1

 

VLAN10 IP: 192.168.100.1

VLAN20 IP: 192.168.250.1

WAN1 IP: 1.1.1.1

WAN2 IP (Dealer network): 10.49.240.10 

 

Please advise how i quickly can make the config complete, so that we can address the dealer network. We are now replacing our old Zyxell Zywall for an Cisco ASA. The Zywall had no problems with the two WAN interfaces. 

 

Kind Regards,

 

Robbert

Labels:
0 Helpful
7 Replies 7

Professor_Pickles
Level 1
Level 1

‎02-21-2018 02:44 PM - edited ‎02-21-2018 03:30 PM

Can you describe the network in terms of the Interfaces they are behind, for example: 

 

10.39.10.0/24   - e0/0 (Native usually VLAN1)

192.200.0.0/24 - e0/0.10 (VLAN10) 

10.150.1.0/24  -  e0/0.20 (VLAN20)

 

WAN1 - e0/1

WAN2 - e0/2

 

From what I'm reading you would not use PBR, you just need to have the correct route statements as well as insure your NAT statements are correct.

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Professor_Pickles

‎02-21-2018 02:50 PM

interface GigabitEthernet1/1

description Inside LAN Interface ASA5506-X

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1.1

description VLAN10 Interface LAN Netwerk

vlan 10

nameif VLAN10

security-level 100

ip address 192.168.100.1 255.255.255.0

policy-route route-map PON_MAP

!

interface GigabitEthernet1/1.2

description  VLAN20 Interface Guest Netwerk

vlan 20

nameif VLAN20

security-level 25

ip address 192.168.250.1 255.255.255.0

!

interface GigabitEthernet1/2

description WAN Interface Tele2 Fiber Internet

speed 100

duplex full

nameif WAN

security-level 0

ip address 1.7.102.94 255.255.255.248

!

interface GigabitEthernet1/3

description PON WAN Interface

nameif WAN_PON

security-level 0

ip address 10.49.240.10 255.255.255.0

 

route WAN 0.0.0.0 0.0.0.0 1.7.202.89 1

route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1

route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1

route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Robbert Tol

‎02-21-2018 02:52 PM

object network VLAN10_Subnet

subnet 192.168.100.0 255.255.255.0

object network VLAN10_Subnet

nat (VLAN10,WAN) dynamic interface

0 Helpful

Professor_Pickles
Level 1
Level 1
In response to Robbert Tol

‎02-21-2018 03:28 PM - edited ‎02-21-2018 03:31 PM

I'm seeing GAP in your configuration. So, in order for the users at 192.168.100.0/24 network to reach the 10.0.0.0/8 you'll need to make a few changes:

 

Create an object for the remote 10.0.0.0/8 network or use one if you have it

object network obj-net-10
 subnet 10.0.0.0 255.0.0.0

 

Your will need this NAT statement, make sure I've got the correct source/dst interfaces.

!
nat (VLAN10,WAN_PON) source static VLAN10_Subnet VLAN10_Subnet destination static obj-net-10 obj-net-10 no-proxy-arp route-lookup

This will essentially perform a no-NAT on your SRC/DST networks.

 

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Professor_Pickles

‎02-21-2018 03:32 PM

Thank you so much!

 

Can i ask you one more thing?

 

I have an working Site to Site VPN Tunnel between two sites. The above site is working fine.

What do i have to change on the asa at site B to access the same 10.0.0.0 subnet ?

 

Kind regards,

 

Robbert

0 Helpful

Professor_Pickles
Level 1
Level 1
In response to Robbert Tol

‎02-21-2018 03:40 PM - edited ‎02-21-2018 03:59 PM

Similar steps:

 

  1. Identify source network IP subnet and create an object to track it.
  2. Identify the Interface name that the source subnet is behind, make a note of it.
  3. Repeat 1&2 for the DST network, which I think you mentioned DST is the 10 so create an object for that.
  4. Finally create a NAT statement like the one I did above using the appropriate objects in src and dst

r/Phil

0 Helpful

Robbert Tol
Level 1
Level 1
In response to Professor_Pickles

‎02-21-2018 05:47 PM

Sorry, but the solution doesn't work :-(

I am an newby in Cisco ASA and before the customer had two Zyxel Firewall's which had any problems with the Site to site VPN's and the second WAN on the HQ Location. Also tried your suggestion.

 

HQ Config:

 

hostname ASA5506X-VDL

domain-name company.local

enable password $sha512$5000$IvpLaK7wslmhXCYc77Z2Dg==$IMVR8WShj36y5fUcEe0Uqg== pbkdf2

names

no mac-address auto

ip local pool VPN_DHCP_Pool 192.168.10.1-192.168.10.200 mask 255.255.255.0

 

!

interface GigabitEthernet1/1

description Inside LAN Interface ASA5506-X

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1.1

description company VLAN10 Interface LAN Netwerk

vlan 10

nameif VLAN10

security-level 100

ip address 192.168.100.1 255.255.255.0

policy-route route-map PON_MAP

!

interface GigabitEthernet1/1.2

description company VLAN20 Interface Guest Netwerk

vlan 20

nameif VLAN20

security-level 25

ip address 192.168.250.1 255.255.255.0

!

interface GigabitEthernet1/2

description WAN Interface Tele2 Fiber Internet

speed 100

duplex full

nameif WAN

security-level 0

ip address 1.1.1.94 255.255.255.248

!

interface GigabitEthernet1/3

description PON WAN Interface

nameif WAN_PON

security-level 0

ip address 10.49.240.10 255.255.255.0

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

boot system disk0:/asa964-lfbff-k8.SPA

ftp mode passive

dns domain-lookup VLAN10

dns domain-lookup VLAN20

dns domain-lookup WAN

dns domain-lookup WAN_PON

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

name-server 10.150.1.3

name-server 192.168.100.21

domain-name company.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Gonzo_LAN

host 192.168.100.22

description Microsoft Exchange 2010 Server company

object network Gonzo_WAN

host 1.1.1.90

description Microsoft Exchange 2010 Server company WAN Address

object network Gonzo_LAN_SMTP

host 192.168.100.22

object network Gonzo_LAN_HTTPS

host 192.168.100.22

object network Camera_LAN

host 192.168.100.10

object network Camera_WAN

host 1.1.1.92

object network Camera_LAN_554

host 192.168.100.10

object network Camera_LAN_8000

host 192.168.100.10

object network Camera_LAN_8099

host 192.168.100.10

object network Hyper_LAN

host 192.168.100.250

object network Hyper_WAN

host 1.1.1.91

object network Hyper_LAN_HTTPS

host 192.168.100.250

object network Hyper_LAN_17990

host 192.168.100.250

object network Zoetermeer_LAN

subnet 192.168.1.0 255.255.255.0

object network Zoetermeer_WAN

host 2.2.2.98

object network VLAN10_Subnet

subnet 192.168.100.0 255.255.255.0

description VLAN10 company LAN Subnet

object network VLAN20_Subnet

subnet 192.168.250.0 255.255.255.0

description VLAN20 company Guest Subnet

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.100.0_24

subnet 192.168.100.0 255.255.255.0

object network PON_192_200_0_0

subnet 192.200.0.0 255.255.0.0

object network PON_10_0_0_0

subnet 10.0.0.0 255.0.0.0

object network VLAN10_PON

subnet 192.168.100.0 255.255.255.0

object-group service Gonzo_Services

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service Camera_Services

service-object tcp destination eq rtsp

service-object tcp destination eq 8000

service-object tcp destination eq 8099

object-group service Hyper_Services

service-object tcp destination eq https

service-object tcp destination eq 17990

object-group network PON_Network_Group

network-object object PON_10_0_0_0

network-object object PON_192_200_0_0

access-list outside_inside extended permit icmp any any echo

access-list outside_inside extended permit udp any any range 33434 33523

access-list outside_inside extended permit icmp any any time-exceeded

access-list outside_inside extended permit icmp any any source-quench

access-list outside_inside extended permit icmp any any echo-reply

access-list outside_inside extended permit icmp any any unreachable

access-list outside_inside extended permit object-group Gonzo_Services any object Gonzo_LAN

access-list outside_inside extended permit object-group Camera_Services any object Camera_LAN

access-list outside_inside extended permit object-group Hyper_Services any object Hyper_LAN

access-list outside_inside extended deny ip any any

access-list ICMPACL extended permit icmp any any

access-list outbound extended permit tcp host 192.168.100.22 any eq smtp

access-list outbound extended deny tcp any any eq smtp

access-list outbound extended permit ip any any

access-list PON_Inside extended permit icmp any any echo

access-list PON_Inside extended permit udp any any range 33434 33523

access-list PON_Inside extended permit icmp any any time-exceeded

access-list PON_Inside extended permit icmp any any source-quench

access-list PON_Inside extended permit icmp any any echo-reply

access-list PON_Inside extended permit icmp any any unreachable

access-list Split_Tunnel standard permit 192.168.100.0 255.255.255.0

access-list Split_Tunnel standard permit 192.168.4.0 255.255.255.0

access-list WAN_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object Zoetermeer_LAN

access-list ACL_PONNET standard permit 10.0.0.0 255.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu VLAN10 1500

mtu VLAN20 1500

mtu WAN 1500

mtu WAN_PON 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-791-151.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (VLAN10,WAN) source static any any destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

nat (VLAN10,WAN) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Zoetermeer_LAN Zoetermeer_LAN no-proxy-arp route-lookup

!

object network Gonzo_LAN

nat (VLAN10,WAN) static Gonzo_WAN

object network Gonzo_LAN_SMTP

nat (VLAN10,WAN) static Gonzo_WAN service tcp smtp smtp

object network Gonzo_LAN_HTTPS

nat (VLAN10,WAN) static Gonzo_WAN service tcp https https

object network Camera_LAN_554

nat (VLAN10,WAN) static Camera_WAN service tcp rtsp rtsp

object network Camera_LAN_8000

nat (VLAN10,WAN) static Camera_WAN service tcp 8000 8000

object network Camera_LAN_8099

nat (VLAN10,WAN) static Camera_WAN service tcp 8099 8099

object network Hyper_LAN_HTTPS

nat (VLAN10,WAN) static Hyper_WAN service tcp https https

object network Hyper_LAN_17990

nat (VLAN10,WAN) static Hyper_WAN service tcp 17990 17990

object network VLAN10_Subnet

nat (VLAN10,WAN) dynamic interface

object network VLAN20_Subnet

nat (VLAN20,WAN) static Camera_WAN

object network VLAN10_PON

nat (VLAN10,WAN_PON) static interface

access-group outside_inside in interface WAN

access-group PON_Inside in interface WAN_PON

!

route-map PON_MAP permit 10

match ip address ACL_PONNET

set interface WAN_PON

set ip default next-hop 10.49.240.1

 

!

route WAN 0.0.0.0 0.0.0.0 1.1.1.89 1

route WAN_PON 10.0.0.0 255.0.0.0 10.49.240.1 1

route VLAN10 192.168.4.0 255.255.255.0 192.168.100.253 1

route WAN_PON 192.200.0.0 255.255.0.0 10.49.240.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

aaa-server Radius-Kermit protocol radius

aaa-server Radius-Kermit (VLAN10) host 192.168.100.21

key *****

radius-common-pw vdL!nd3n2018?

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 VLAN10

no snmp-server location

no snmp-server contact

service sw-reset-button

 

******* REMOVED CRYPTO LINES FOR LENGTH ********

 

crypto ikev2 enable WAN client-services port 443

crypto ikev2 remote-access trustpoint vpn_company-groep_nl

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.100.0 255.255.255.0 VLAN10

ssh timeout 5

ssh cipher encryption all

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd dns 8.8.8.8 8.8.4.4

!

dhcpd address 192.168.250.10-192.168.250.200 VLAN20

dhcpd enable VLAN20

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point vpn_company-groep_nl VLAN10

ssl trust-point vpn_company-groep_nl VLAN20

ssl trust-point vpn_company-groep_nl WAN

ssl trust-point vpn_company-groep_nl WAN_PON

webvpn

enable WAN

anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 1

anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 2

anyconnect profiles ASA5506-X_company_client_profile disk0:/ASA5506-X_company_client_profile.xml

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

group-policy "GroupPolicy_ASA5506-X company" internal

group-policy "GroupPolicy_ASA5506-X company" attributes

wins-server none

dns-server value 192.168.100.21

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value Split_Tunnel

default-domain value company.local

webvpn

  anyconnect profiles value ASA5506-X_company_client_profile type user

group-policy GroupPolicy_2.2.2.98 internal

group-policy GroupPolicy_2.2.2.98 attributes

vpn-tunnel-protocol ikev1 ikev2

dynamic-access-policy-record DfltAccessPolicy

username admin password $sha512$5000$mXimwUYVhPk6HBnK+ct8NQ==$sj3JFxcM4u/aw/0LN3W9FQ== pbkdf2 privilege 15

tunnel-group "ASA5506-X company" type remote-access

tunnel-group "ASA5506-X company" general-attributes

address-pool VPN_DHCP_Pool

authentication-server-group Radius-Kermit

default-group-policy "GroupPolicy_ASA5506-X company"

tunnel-group "ASA5506-X company" webvpn-attributes

group-alias "ASA5506-X company" enable

tunnel-group 2.2.2.98 type ipsec-l2l

tunnel-group 2.2.2.98 general-attributes

default-group-policy GroupPolicy_2.2.2.98

tunnel-group 2.2.2.98 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e6f9318f1bbd2d0e7efbbfcf31235c35

 

ASA Branche Office

 

ASA Version 9.6(4)

!

hostname ASA5506X-ZTM

domain-name company.local

enable password $sha512$5000$q37wopLLpi3FeO/gR9nBag==$iiYKD04GYsEvzb6hpHu6QQ== pbkdf2

names

no mac-address auto

 

!

interface GigabitEthernet1/1

description WAN Interface Address company Zoetermeer

nameif outside

security-level 0

ip address 6.6.6.98 255.255.255.252

!

interface GigabitEthernet1/2

description LAN Interface company Zoetermeer

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface GigabitEthernet1/3

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/4

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

security-level 100

no ip address

!

interface GigabitEthernet1/8

shutdown

no nameif

security-level 100

no ip address

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

boot system disk0:/asa964-lfbff-k8.SPA

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8 inside

name-server 192.168.100.21

name-server 8.8.4.4

domain-name company.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Internal_LAN

subnet 192.168.1.0 255.255.255.0

object network Waddinxveen

subnet 192.168.100.0 255.255.255.0

description Waddinxveen Subnet HQ

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

access-list outside_inside extended permit icmp any any echo

access-list outside_inside extended permit udp any any range 33434 33523

access-list outside_inside extended permit icmp any any time-exceeded

access-list outside_inside extended permit icmp any any source-quench

access-list outside_inside extended permit icmp any any echo-reply

access-list outside_inside extended permit icmp any any unreachable

access-list outside_inside extended deny ip any any

access-list ICMPACL extended permit icmp any any

access-list outbound extended permit tcp host 192.168.100.22 any eq smtp

access-list outbound extended deny tcp any any eq smtp

access-list outbound extended permit ip any any

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Waddinxveen

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-791-151.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Waddinxveen Waddinxveen no-proxy-arp route-lookup

!

object network Internal_LAN

nat (inside,outside) dynamic interface

access-group outside_inside in interface outside

route outside 0.0.0.0 0.0.0.0 6.6.6.97 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 62.177.202.94

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

ssh cipher encryption all

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd address 192.168.1.100-192.168.1.225 inside

dhcpd dns 192.168.100.21 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_62.177.202.94 internal

group-policy GroupPolicy_62.177.202.94 attributes

vpn-tunnel-protocol ikev1 ikev2

dynamic-access-policy-record DfltAccessPolicy

username admin password $sha512$5000$XJhfzyR/fvZjzfGSUQEdwA==$N5789JoSOE9DfuSXz6HO9Q== pbkdf2 privilege 15

tunnel-group 62.177.202.94 type ipsec-l2l

tunnel-group 62.177.202.94 general-attributes

default-group-policy GroupPolicy_62.177.202.94

tunnel-group 62.177.202.94 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:32c6a0af3e4f1738ea72b27db186581f

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card