08-11-2020 05:55 AM
Hello Guys,
Need help on troubleshooting the ssh from outside(WAN) interface, I attached the config below. Please advice with commands for troubleshooting.
Thanks,
Result of the command: "sh run"
: Saved
Result of the command: "sh run"
: Saved
:
ASA Version 9.9(1)
!
hostname A1ASA
enable password mgCeL9SBd2ZbybMR encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool TechMonks-Pool 192.168.235.1-192.168.235.10 mask 255.255.255.0
ip local pool VPNpool 10.222.225.1-10.222.225.254 mask 255.255.255.0
ip local pool McCallum-Pool 10.123.123.1-10.123.123.21 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Outside
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
description inside
nameif inside
security-level 90
ip address 10.222.222.1 255.255.252.0
!
interface GigabitEthernet1/3
nameif AirbossMimic
security-level 40
ip address 192.168.1.7 255.255.255.0
!
interface GigabitEthernet1/4
description Development
nameif Development
security-level 50
ip address 192.168.175.1 255.255.255.0
!
interface GigabitEthernet1/5
description Security
nameif Security
security-level 80
ip address 10.211.211.1 255.255.255.0
!
interface GigabitEthernet1/6
description Rogers-LAN-EXT
speed 100
duplex full
nameif Rogers-LAN-EXT
security-level 90
ip address 172.30.1.222 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Phone System
nameif New-Phone
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
ip address 192.168.149.3 255.255.255.0
!
boot system disk0:/asa991-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup Development
dns domain-lookup Security
dns server-group DefaultDNS
name-server 10.222.222.12
domain-name ableone.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.199.196.0_22
subnet 10.199.196.0 255.255.252.0
object network NETWORK_OBJ_10.222.220.0_22
subnet 10.222.220.0 255.255.252.0
object network Inside_Network
subnet 10.222.220.0 255.255.252.0
description Inside_Network
object network Generic
subnet 0.0.0.0 0.0.0.0
object network SecurityController
host 10.211.211.10
description SecurityController
object network Security_Net
subnet 10.211.211.0 255.255.255.0
description Security_Net
object network Sec-Net
subnet 10.222.220.0 255.255.252.0
description Sec-Net
object network NETWORK_OBJ_10.222.225.0_24
subnet 10.222.225.0 255.255.255.0
object network NETWORK_OBJ_172.30.1.0_24
subnet 172.30.1.0 255.255.255.0
description NETWORK_OBJ_172.30.1.0_24
object network PoC-Phone
subnet 10.10.10.0 255.255.255.0
object network TechMonksVPN
description TechMonksVPN Client Range
object network TechMonksNet
subnet 192.168.235.0 255.255.255.0
description TechMonks VPN Network
object network Fibernetics-Phone
subnet 10.10.10.0 255.255.255.0
description Fibernetics-Phone
object network NETWORK_OBJ_192.168.175.0_24
subnet 192.168.175.0 255.255.255.0
object network FOCU-NET
subnet 10.1.30.0 255.255.255.0
object network NETWORK_OBJ_10.123.123.0_27
subnet 10.123.123.0 255.255.255.224
object network A1Cogent-Internal
subnet 10.17.25.0 255.255.255.0
description A1Cogent Internal Network
object network A1Cogent-Management
subnet 10.20.77.0 255.255.255.0
description A1 Cogent Management Network
object network TMGInside
subnet 10.170.150.0 255.255.254.0
description Trimach Inside Network in staging area
object network TMG-HQLocalNetwork
subnet 192.168.6.0 255.255.255.0
description Trimach Elmira local network
object network A1-Rogers-VPNPool
subnet 192.168.222.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.175.0 255.255.255.0
network-object object Inside_Network
network-object object Security_Net
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_2
network-object 10.222.220.0 255.255.252.0
network-object object NETWORK_OBJ_10.222.225.0_24
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service POC-Phones udp
port-object range 10000 20000
port-object eq sip
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service POC-Phone_Ports
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_11
service-object ip
service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_3
network-object object NETWORK_OBJ_10.222.220.0_22
network-object object NETWORK_OBJ_10.222.225.0_24
object-group network FOCU
network-object host 10.1.30.45
network-object host 10.1.40.45
network-object host 10.1.80.12
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_4
network-object object A1Cogent-Internal
network-object object A1Cogent-Management
object-group network DM_INLINE_NETWORK_5
network-object 192.168.175.0 255.255.255.0
network-object object TMGInside
object-group network DevNetwork
network-object 192.168.175.0 255.255.255.0
access-list outside_cryptomap extended permit ip object Inside_Network object NETWORK_OBJ_10.199.196.0_22
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any any
access-list outside_access_in extended permit tcp any any eq 2601
access-list outside_access_in extended permit udp any any object-group POC-Phones inactive
access-list inside_access_in extended permit ip 10.222.220.0 255.255.252.0 any
access-list inside_access_in extended permit ip 10.222.220.0 255.255.252.0 10.222.225.0 255.255.255.0
access-list inside_access_in_1 extended permit ip host 10.222.221.221 192.168.235.0 255.255.255.0
access-list inside_access_in_1 extended deny ip 10.222.220.0 255.255.252.0 192.168.235.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.222.225.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.10.10.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.211.211.0 255.255.255.0
access-list inside_access_in_1 extended permit ip any 10.199.196.0 255.255.252.0
access-list inside_access_in_1 extended permit ip any 192.168.175.0 255.255.255.0
access-list inside_access_in_1 extended permit udp any 10.199.196.0 255.255.252.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_5 any any
access-list inside_access_in_1 extended permit ip any any
access-list Security_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
access-list Security_access_in extended permit ip any any
access-list Development_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Development_access_in extended permit ip any object Inside_Network
access-list Development_access_in extended permit ip any object-group DM_INLINE_NETWORK_3 inactive
access-list Development_access_in extended permit ip object TMGInside object TMG-HQLocalNetwork
access-list Development_access_in extended permit ip any any
access-list SPLIT standard permit 10.222.220.0 255.255.252.0
access-list SPLIT standard permit 10.10.10.0 255.255.255.0
access-list SPLIT standard permit 192.168.175.0 255.255.255.0
access-list SPLIT standard permit 10.199.196.0 255.255.252.0
access-list SPLIT standard permit 192.168.222.0 255.255.255.0
access-list Rogers-LAN-EXT_access_in extended permit object-group DM_INLINE_SERVICE_8 any any
access-list Rogers-LAN-EXT_access_in extended permit ip any any
access-list AllIn1_splitTunnelAcl standard permit 192.168.175.0 255.255.255.0
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_10 object PoC-Phone object-group DM_INLINE_NETWORK_2
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_11 object PoC-Phone any
access-list PoC-Phone_access_in extended permit object-group DM_INLINE_SERVICE_9 any any
access-list PoC-Phone_access_in extended permit ip any any
access-list TechMonks-Split standard permit 10.222.220.0 255.255.252.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.222.225.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.175.0 255.255.255.0 object FOCU-NET
access-list McCallum_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list McCallum_access_in extended permit ip any any
access-list McCallum-Split standard permit 10.40.40.0 255.255.252.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list outside_cryptomap_1 extended permit ip 10.222.220.0 255.255.252.0 object-group DM_INLINE_NETWORK_4
access-list outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_5 object TMG-HQLocalNetwork
access-list AirbossMimic_access_in extended permit ip any any
pager lines 24
logging enable
logging history informational
logging asdm informational
logging host Rogers-LAN-EXT 10.199.198.225
logging permit-hostdown
flow-export destination Rogers-LAN-EXT 10.199.199.59 2055
flow-export destination Rogers-LAN-EXT 10.199.198.225 2055
flow-export template timeout-rate 1
mtu outside 1500
mtu inside 1500
mtu AirbossMimic 1500
mtu Development 1500
mtu Security 1500
mtu Rogers-LAN-EXT 1500
mtu New-Phone 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any Development
icmp permit any Security
icmp permit any Rogers-LAN-EXT
icmp permit any New-Phone
asdm image disk0:/asdm-791.bin
no asdm history enable
arp inside 10.222.220.225 5cff.3505.9be2
arp inside 10.222.222.222 013c.970e.7be6
arp timeout 28800
no arp permit-nonconnected
arp rate-limit 16384
nat (Development,outside) source static TMGInside TMGInside destination static TMG-HQLocalNetwork TMG-HQLocalNetwork no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 route-lookup
nat (inside,Rogers-LAN-EXT) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static A1-Rogers-VPNPool A1-Rogers-VPNPool no-proxy-arp route-lookup
nat (inside,Rogers-LAN-EXT) source static Inside_Network Inside_Network destination static A1-Rogers-VPNPool A1-Rogers-VPNPool no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (Development,outside) source static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24 destination static FOCU-NET FOCU-NET no-proxy-arp route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (New-Phone,outside) source static PoC-Phone PoC-Phone destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (inside,outside) source static Inside_Network Inside_Network destination static TechMonksNet TechMonksNet
nat (inside,New-Phone) source static NETWORK_OBJ_10.222.220.0_22 NETWORK_OBJ_10.222.220.0_22 destination static Fibernetics-Phone Fibernetics-Phone
nat (Development,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.222.225.0_24 NETWORK_OBJ_10.222.225.0_24
nat (inside,Development) source static Inside_Network Inside_Network destination static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24
nat (inside,Security) source static Inside_Network Inside_Network destination static Security_Net Security_Net
nat (Development,outside) source static NETWORK_OBJ_192.168.175.0_24 NETWORK_OBJ_192.168.175.0_24 destination static TMG-HQLocalNetwork TMG-HQLocalNetwork no-proxy-arp route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static NETWORK_OBJ_10.199.196.0_22 NETWORK_OBJ_10.199.196.0_22 no-proxy-arp route-lookup
!
object network Generic
nat (any,outside) dynamic interface
object network SecurityController
nat (Security,outside) static interface service tcp 2601 2601
object network Security_Net
nat (inside,inside) dynamic interface dns
object network Fibernetics-Phone
nat (inside,inside) dynamic interface dns
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group AirbossMimic_access_in in interface AirbossMimic
access-group Development_access_in in interface Development
access-group Security_access_in in interface Security
access-group Rogers-LAN-EXT_access_in in interface Rogers-LAN-EXT
access-group PoC-Phone_access_in in interface New-Phone
route Rogers-LAN-EXT 10.199.196.0 255.255.252.0 172.30.1.199 1 track 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Development 10.170.150.0 255.255.254.0 192.168.175.2 1
route outside 10.199.196.0 255.255.252.0 x.x.x.x 150
route Rogers-LAN-EXT 192.168.222.0 255.255.255.0 172.30.1.199 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 666
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 Development
http 0.0.0.0 0.0.0.0 Security
snmp-server host Rogers-LAN-EXT 10.199.198.225 community ***** version 2c
snmp-server host inside 10.199.199.250 community *****
snmp-server host Rogers-LAN-EXT 10.199.199.59 community ***** version 2c udp-port 161
snmp-server host inside 10.222.220.135 community ***** version 2c
snmp-server host inside 10.222.222.12 community ***** version 2c udp-port 161
snmp-server host Development 10.199.199.125 community *****
snmp-server location A1-Office-KW
snmp-server contact The Man
snmp-server community *****
sysopt noproxyarp inside
sysopt noproxyarp Development
sysopt noproxyarp Security
sysopt noproxyarp Rogers-LAN-EXT
sysopt noproxyarp New-Phone
sla monitor 123
type echo protocol ipIcmpEcho 10.199.199.241 interface Rogers-LAN-EXT
num-packets 2
frequency 5
sla monitor schedule 123 life forever start-time now
sla monitor 124
type echo protocol ipIcmpEcho 172.30.1.199 interface Rogers-LAN-EXT
num-packets 2
frequency 5
sla monitor schedule 124 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes unlimited
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_1
crypto map outside_map 3 set peer x.x.x.x
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 set security-association lifetime kilobytes unlimited
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set peer x.x.x.x
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=A1ASA.ableone.local
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=72.143.29.6
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
cdp-url http://A1ASA/+CSCOCA+/asa_ca.crl
issuer-name CN=A1ASA
smtp from-address admin@A1ASA.null
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable Rogers-LAN-EXT
crypto ikev1 enable outside
crypto ikev1 enable Rogers-LAN-EXT
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 124 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 Development
ssh 0.0.0.0 0.0.0.0 Security
ssh 0.0.0.0 0.0.0.0 Rogers-LAN-EXT
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 15
dhcpd update dns both override
!
dhcpd address 10.222.220.1-10.222.220.200 inside
dhcpd dns 10.222.222.12 10.199.199.110 interface inside
dhcpd lease 14400 interface inside
dhcpd domain ableone.com interface inside
dhcpd update dns both override interface inside
!
dhcpd address 192.168.1.15-192.168.1.20 AirbossMimic
dhcpd dns 8.8.8.8 interface AirbossMimic
dhcpd lease 28800 interface AirbossMimic
dhcpd enable AirbossMimic
!
dhcpd address 192.168.175.100-192.168.175.200 Development
dhcpd dns 8.8.8.8 8.8.4.4 interface Development
dhcpd lease 28800 interface Development
dhcpd domain ableone.com interface Development
dhcpd enable Development
!
dhcpd address 10.211.211.100-10.211.211.110 Security
dhcpd dns 10.222.222.12 10.199.199.110 interface Security
dhcpd enable Security
!
dhcpd address 10.10.10.11-10.10.10.200 New-Phone
dhcpd dns 8.8.8.8 interface New-Phone
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 69.87.223.252 source outside
ntp server 198.245.51.213 source outside
ntp server 174.142.39.145 source outside
ntp server 144.217.65.182 source outside
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DES-CBC-SHA"
webvpn
port 444
enable outside
enable Development
dtls port 444
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.4.04030-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-macos-4.4.04030-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
internal-password enable
cache
disable
error-recovery disable
group-policy A1-Office internal
group-policy A1-Office attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
vlan none
group-policy TechMonks internal
group-policy TechMonks attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-lock value TechMonks
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TechMonks-Split
address-pools value TechMonks-Pool
webvpn
anyconnect keep-installer installed
group-policy DfltGrpPolicy attributes
dns-server value 10.222.222.12
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
default-domain value ableone.com
group-policy GroupPolicy_McCallumVPN internal
group-policy GroupPolicy_McCallumVPN attributes
wins-server none
dns-server value 10.40.40.3 10.40.40.4
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value McCallum-Split
default-domain value mccs.local
group-policy GroupPolicy_206.47.171.229 internal
group-policy GroupPolicy_206.47.171.229 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_108.63.14.146 internal
group-policy GroupPolicy_108.63.14.146 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_38.17.20.92 internal
group-policy GroupPolicy_38.17.20.92 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_162.212.232.190 internal
group-policy GroupPolicy_162.212.232.190 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy AllIn1 internal
group-policy AllIn1 attributes
dns-server value 10.222.222.12
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AllIn1_splitTunnelAcl
default-domain value ableone.local
dynamic-access-policy-record A1Office-VPN
webvpn
file-browsing enable
file-entry enable
svc ask enable default svc
always-on-vpn profile-setting
dynamic-access-policy-record DfltAccessPolicy
username sshah password $sha512$5000$ClD9dCJ3YKRaTRNSsHNgfQ==$NHmW8ZGmZWHIJvIWkIzGFQ== pbkdf2
username sshah attributes
vpn-group-policy A1-Office
username rbruce password $sha512$5000$5RHk0rfna+EIf+JIliQwfg==$2Ast7zSQjYSCLQcLQ/e9vA== pbkdf2
username rbruce attributes
service-type remote-access
username duane password $sha512$5000$eIUdrP+2sUi793Y5dXITFQ==$+lBhAG9YTqx31d75yYkjvg== pbkdf2
username duane attributes
service-type remote-access
username TechWiz password xOJJwOGzbSO9kaoh encrypted privilege 0
username TechWiz attributes
vpn-group-policy TechMonks
username rcampbell password Xrq5bBsSgAwmVi6/ encrypted
username ModernWorks password lEz0kDHlI4p17C1A encrypted
username asuter password $sha512$5000$tJiJxbT9YAljbs6/UDygSw==$9KTGAjw2HZssB7fAD7sUmw== pbkdf2
username ableone password 0Tf7jgrtHuufsPfn encrypted privilege 15
username dperco password 0MLknrIFlnuxm2yq encrypted
username grant password yosASoGeVtPsSimX encrypted
username dbryndza password $sha512$5000$NukH6y2heDYMNfVLuEgTeA==$geQe68P3mxvmUsyLqTdaPw== pbkdf2
username dbryndza attributes
vpn-group-policy A1-Office
username gary password pw4mQ7q5jaWBQAwY encrypted privilege 0
username gary attributes
vpn-group-policy A1-Office
username tschmied password $sha512$5000$b9D4n9NkYDC3mP2k5ctqbw==$kfWRi3l2bJUa1lJJvSQhOA== pbkdf2
username tschmied attributes
vpn-group-policy A1-Office
username stefan password zY5pJt05Q/cLKBQu encrypted privilege 0
username stefan attributes
vpn-group-policy A1-Office
username kstewart password r.8BdlmN.awUt.jr encrypted
username ltelford password Oeiv3AKot.fFvAeQ encrypted
username iainc password FNTpNDsweZwyUbq6 encrypted
username ahmad password $sha512$5000$07NbzR/UlobCUCnG5sbRkw==$xryLn0YmK/NCymSXAyk9IQ== pbkdf2
username hreis password PO/dXbvjQvgwuhVU encrypted privilege 15
username jacques password $sha512$5000$SoRvhXGGTL4eazlCy4TgDw==$2gvmthISgFHxhOZNRje4qA== pbkdf2
username jacques attributes
vpn-group-policy A1-Office
username ConnsVPN password kqpJnFnJzCSLBiNb encrypted
username Mark password 6CqaphipqizA6Oak encrypted
username Boris password cppW657xqLCPmd99 encrypted
username lainc password jXJwMr8udXb0Ou/U encrypted
username Henrique password D8B0md9ueZShbM8h encrypted privilege 15
username MC-Test password $sha512$5000$56wKwJmsFr5B8PJSz0zh1w==$Gwehw5e2qeIlk+Y4TWeqwA== pbkdf2
username MC-Test attributes
vpn-group-policy GroupPolicy_McCallumVPN
group-lock value McCallumVPN
username lsingh password $sha512$5000$hE+PMcJpeidWMGQiJTv3mA==$Hj8aX/o6mIx2V1oaaZUSIw== pbkdf2 privilege 15
username BMcKnight password dTSBl1FwtuN5DHVH encrypted
username BMcKnight attributes
service-type remote-access
tunnel-group 108.63.14.146 type ipsec-l2l
tunnel-group 108.63.14.146 general-attributes
default-group-policy GroupPolicy_108.63.14.146
tunnel-group 108.63.14.146 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group A1Office type remote-access
tunnel-group A1Office general-attributes
address-pool VPNpool
default-group-policy A1-Office
tunnel-group A1Office webvpn-attributes
group-alias A1Office enable
tunnel-group ServiceVPN type remote-access
tunnel-group ServiceVPN general-attributes
address-pool VPNpool
tunnel-group ServiceVPN webvpn-attributes
group-alias A1-Service enable
tunnel-group AllIn1 type remote-access
tunnel-group AllIn1 general-attributes
address-pool VPNpool
default-group-policy AllIn1
tunnel-group AllIn1 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TechMonks type remote-access
tunnel-group TechMonks general-attributes
address-pool TechMonks-Pool
default-group-policy TechMonks
tunnel-group TechMonks webvpn-attributes
group-alias TechMonks enable
tunnel-group 206.47.171.229 type ipsec-l2l
tunnel-group 206.47.171.229 general-attributes
default-group-policy GroupPolicy_206.47.171.229
tunnel-group 206.47.171.229 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group McCallumVPN type remote-access
tunnel-group McCallumVPN general-attributes
address-pool McCallum-Pool
default-group-policy GroupPolicy_McCallumVPN
tunnel-group McCallumVPN webvpn-attributes
group-alias McCallumVPN enable
tunnel-group 38.17.20.92 type ipsec-l2l
tunnel-group 38.17.20.92 general-attributes
default-group-policy GroupPolicy_38.17.20.92
tunnel-group 38.17.20.92 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 162.212.232.190 type ipsec-l2l
tunnel-group 162.212.232.190 general-attributes
default-group-policy GroupPolicy_162.212.232.190
tunnel-group 162.212.232.190 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
description class-default
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect pptp
class class-default
flow-export event-type all destination 10.199.199.59 10.199.198.225
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:28e111de1cbc1cd58bf1a3963111d5c5
: end
08-11-2020 06:08 AM
When you say it's not working, what exactly do you see when you try to ssh to the outside interface? Are you coming at it from an outside network?
08-11-2020 07:18 AM
Hello @Marvin Rhoads ,
Yes I am trying to ssh from Internet from my home. It create session and prompt for credentials but hen show Access denied. Same credentials working from inside network.
Thanks
08-11-2020 11:52 AM
When you try to connect from home are you on the VPN or not?
Try it while not on VPN.
08-12-2020 05:18 AM
08-12-2020 09:16 AM
I'd suggest you run a debug on the ASA (or look at info level syslogs) to ascertain why you are getting access denied for an otherwise valid user account.
08-26-2020 02:02 PM
08-26-2020 08:30 PM
You can usually see it from a level 6 (informational) syslog entry. Make sure your syslog is set to that and monitor an attempt to login with the problem account while logged in on a working account.
I find ADSM monitoring useful for this since you can make a display filter to exclude all of the tcp and udp session establishment and teardown messages that can obscure the problem you want to investigate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide