02-07-2013 10:36 AM - edited 03-11-2019 05:57 PM
I recently had a Cisco ASA 5505 firewall installed by a consulting company. I have two offices, the main one (192.168.1.*) and one (192.168.151.*) connected via a point to point router. The issue I'm having is I am unable to ping the computers behind the offsite router. Users at the offsite location CAN ping to our servers on our network using either DNS or IP address, but we cannot ping from the main office to the offsite location. I need to install a network printer, located at the offsite office, on one of the servers in the home office. I cannot do that since I can't get past the router. The following is the configuration on the router. The ASA 5505 has a base license with 3 Vlans and 8 physical interfaces. Any help would be greatly appreciated....
: Saved : ASA Version 8.2(5) ! hostname domain-name enable password passwd names name 192.168.151.111 ERouter name 192.168.1.111 RRouter ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 173.15.90.173 255.255.255.252 ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name ******.org same-security-traffic permit intra-interface object-group network obj_any object-group network mail143 object-group network mail110 object-group network mail25 object-group network rdptsserver object-group network 192.168.1.13 object-group service 3389 service-object tcp source eq 3389 object-group network 192.168.1.15 object-group service 25 service-object tcp source eq smtp object-group service 110 service-object tcp source eq pop3 object-group service 143 service-object tcp source eq imap4 object-group service 21 service-object tcp source eq ftp object-group service https object-group service 80 service-object tcp source eq www object-group service 993 service-object tcp source range 1 65535 object-group network 192.168.1.0 object-group network 192.168.151.0 object-group service HTTP-port service-object tcp source eq www object-group service HTTPS-port service-object tcp source eq https object-group service FTP-port service-object tcp source eq ftp object-group service TCP-993 service-object tcp source eq 993 object-group network Inside-192.168.151.0 object-group network Inside-192.168.1.0 object-group service UDP-5632 service-object udp source eq pcanywhere-status object-group service TCP-5631 service-object tcp source eq pcanywhere-data object-group network 10.0.3.0 object-group network 10.0.33.0 object-group network VPN-out-test object-group network VPN-test object-group service DM_INLINE_TCP_2 tcp port-object eq 3389 port-object eq ftp port-object eq pcanywhere-data port-object eq ssh object-group service DM_INLINE_SERVICE_1 access-list outside_access_in extended permit tcp any host 192.168.1.13 object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit udp any host 192.168.1.13 eq pcanywhere-status access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit udp any interface outside eq pcanywhere-status access-list outside_access_in extended permit ip any any access-list outside_1_cryptomap extended permit ip 10.0.33.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.151.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list cap extended permit udp host 10.0.3.233 host 192.168.1.15 access-list cap extended permit udp host 192.168.1.15 host 10.0.3.233 access-list VPN_NAT extended permit ip 192.168.1.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list u-turn extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list u-turn extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list test extended permit ip host 192.168.1.15 host 192.168.151.10 access-list test extended permit ip host 192.168.151.10 host 192.168.1.15 access-list test2 extended permit ip host 192.168.1.10 host 192.168.151.10 access-list test2 extended permit ip host 192.168.151.10 host 192.168.1.10 access-list nat_exempt extended permit ip 192.168.151.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list U_TURN extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any access-list inside_access_in extended permit ip 192.168.151.0 255.255.255.0 any access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list NONAT extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 20 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool L2TP 192.168.2.1-192.168.2.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-702.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 192.168.1.13 3389 netmask 255.255.255.255 static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface imap4 192.168.1.15 imap4 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask 255.255.255.255 static (inside,outside) tcp interface 993 192.168.1.15 993 netmask 255.255.255.255 static (inside,outside) tcp interface pcanywhere-data 192.168.1.13 pcanywhere-data netmask 255.255.255.255 static (inside,outside) tcp interface 5632 192.168.1.13 5632 netmask 255.255.255.255 static (inside,outside) tcp interface ssh 192.168.1.13 ssh netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.1.9 www netmask 255.255.255.255 static (inside,outside) 10.0.33.0 access-list VPN_NAT dns static (inside,outside) 10.0.3.0 10.0.3.0 netmask 255.255.255.0 dns static (inside,outside) 192.168.151.0 access-list nat_exempt dns static (inside,inside) 192.168.151.0 192.168.151.0 netmask 255.255.255.0 dns static (inside,inside) 192.168.1.0 access-list U_TURN dns access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.15.90.174 1 route inside 192.168.151.0 255.255.255.0 RRouter 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact sysopt noproxyarp inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.155.60 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp nat-traversal 1500 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 999 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.1.15 192.168.1.8 vpn-tunnel-protocol IPSec l2tp-ipsec username microtech password r1uIvMipDbYNFVjQrVBRBw== nt-encrypted tunnel-group 216.86.155.60 type ipsec-l2l tunnel-group 216.86.155.60 ipsec-attributes pre-shared-key ***** ! class-map u-turn match access-list u-turn class-map type inspect dns match-any testmap class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns class u-turn set connection advanced-options tcp-state-bypass policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:3dfe7685e63d2f6386ad5b9b08b06616 : end asdm image disk0:/asdm-702.bin asdm location RRouter 255.255.255.255 inside asdm location ERouter 255.255.255.255 inside no asdm history enable
02-07-2013 11:12 AM
Hello Daniel,
Is your setup like this? : ASA (Mainsite) ------- (Other site) Router
Your ASA is allowing everything coming in "access-list outside_access_in extended permit ip any any" so it makes sense that the offsite could ping your main site.
(outside_access_in is tied to your outside interface).
Could you post the routers configuration from the other site?
Thanks,
Gabriel
02-07-2013 11:24 AM
Hi Gabriel,
Unfortunately, I don't have access to the setup on the point to point routers.
Setup is like this... Internet ----- ASA ------ Local Site ------ Offsite Location. The local site and the offsite location are connected via a point to point connection. The offsite location gets their internet and e-mail via this point to point connection. They are not having problems with either.
That's what's confusing me. They have internet, can access their e-mail but cannot reach shared directories on our subnet. The point to point setup has not changed. The connection was working fine when we were using a SonicWall TZ100 firewall. The consulting company convinced us to go with the Cisco in order to create a VPN to a hosted e-mail server. Since the Cisco was configured we've had issues with connectivity to the offiste location.
02-07-2013 11:40 AM
Hi,
Wouldnt the traffic in your situation go like this
Remote Site connecting to the Internet
Remote Site connecting to the Central Site
If you ask me it would be better if your Point to Point connection first came to the ASA firewall on its own interface and only from there connected to the Central Site LAN network.
I dont know if it would help with the situation but it certainly would make the network setup a lot simpler for the ASA and its configurations. Also it would remove the asymmetric routing thats happening now.
If you only have Base License on the ASA then it would not be possible to configure the third Vlan interface to the ASA.
EDIT: Bah read wrong again. The problem is actually getting connections through from Central to Offsite/Remote site
- Jouni
02-07-2013 11:59 AM
Hi Jouni,
Yes, the traffic pattern you describe is what happens here.
02-07-2013 11:44 AM
Oh gotcha. So the ASA isn't going over its outside interface to reach the local site, my bad.
Just to better my understanding is this the layout?
Internet --- ASA --- (192.168.1.111) RRouter <------> ERouter (192.168.151.111 )
I noticed the NONAT isn't added globally. I would goahead and add this statement (doubt it will change your situation as I am not
a 100% how your routing works at this point).
nat (inside) 0 access-list NONAT
It seems like you have some async routing. Is your ASA the default gateway for everything on the 192.168.1.0 subnet?
For the 192.168.151.0 subnet to talk with the 192.168.1.0 subnet does it end up speaking to the ASA?
02-07-2013 11:55 AM
Gabriel,
The layout you have is correct.
Yes, the ASA is the default gateway for everyone on the 192.168.1.0 subnet. I'm unsure if the 192.168.151.0 subnet speaks to the ASA.
I have a terminal server in the home office that the users at the offsite location log into. They are able to do so without any issues.
02-21-2013 11:46 AM
Okay, I upgraded our license to Security + Here's my updated running configuration. We are still unable to ping devices behind the 192.168.151.111 router. I've tried connecting the point to point connection directly to the 5505 but that didn't make a difference. Not really sure where things are going wrong. Do I need to create another VLan (now that I have the upgraded license) to account for the offsite point to point connection?
Network map is:
Internet ----> Cisco 5505 -------> R-Router with the E-Router connected to a switch on the R-Router network segment.
: Saved : ASA Version 8.2(5) ! hostname domain-name enable password passwd names name 192.168.151.111 ERouter name 192.168.1.111 RRouter ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 173.15.90.173 255.255.255.252 ! boot system disk0:/asa825-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name local881ufcw.org same-security-traffic permit intra-interface object-group network obj_any object-group network mail143 object-group network mail110 object-group network mail25 object-group network rdptsserver object-group network 192.168.1.13 object-group service 3389 service-object tcp source eq 3389 object-group network 192.168.1.15 object-group service 25 service-object tcp source eq smtp object-group service 110 service-object tcp source eq pop3 object-group service 143 service-object tcp source eq imap4 object-group service 21 service-object tcp source eq ftp object-group service https object-group service 80 service-object tcp source eq www object-group service 993 service-object tcp source range 1 65535 object-group network 192.168.1.0 object-group network 192.168.151.0 object-group service HTTP-port service-object tcp source eq www object-group service HTTPS-port service-object tcp source eq https object-group service FTP-port service-object tcp source eq ftp object-group service TCP-993 service-object tcp source eq 993 object-group network Inside-192.168.151.0 object-group network Inside-192.168.1.0 object-group service UDP-5632 service-object udp source eq pcanywhere-status object-group service TCP-5631 service-object tcp source eq pcanywhere-data object-group network 10.0.3.0 object-group network 10.0.33.0 object-group network VPN-out-test object-group network VPN-test object-group service DM_INLINE_TCP_2 tcp port-object eq 3389 port-object eq ftp port-object eq pcanywhere-data port-object eq ssh object-group service DM_INLINE_SERVICE_1 access-list outside_access_in extended permit tcp any host 192.168.1.13 object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit udp any host 192.168.1.13 eq pcanywhere-status access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2 access-list outside_access_in extended permit udp any interface outside eq pcanywhere-status access-list outside_access_in extended permit ip any any access-list outside_1_cryptomap extended permit ip 10.0.33.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.151.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list cap extended permit udp host 10.0.3.233 host 192.168.1.15 access-list cap extended permit udp host 192.168.1.15 host 10.0.3.233 access-list VPN_NAT extended permit ip 192.168.1.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list u-turn extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list u-turn extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list test extended permit ip host 192.168.1.15 host 192.168.151.10 access-list test extended permit ip host 192.168.151.10 host 192.168.1.15 access-list test2 extended permit ip host 192.168.1.10 host 192.168.151.10 access-list test2 extended permit ip host 192.168.151.10 host 192.168.1.10 access-list nat_exempt extended permit ip 192.168.151.0 255.255.255.0 10.0.3.0 255.255.255.0 access-list U_TURN extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any access-list inside_access_in extended permit ip 192.168.151.0 255.255.255.0 any access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.151.0 255.255.255.0 access-list NONAT extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 20 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool L2TP 192.168.2.1-192.168.2.10 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-702.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 192.168.1.13 3389 netmask 255.255.255.255 static (inside,outside) tcp interface smtp 192.168.1.15 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.1.15 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface imap4 192.168.1.15 imap4 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.15 https netmask 255.255.255.255 static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask 255.255.255.255 static (inside,outside) tcp interface 993 192.168.1.15 993 netmask 255.255.255.255 static (inside,outside) tcp interface pcanywhere-data 192.168.1.13 pcanywhere-data netmask 255.255.255.255 static (inside,outside) tcp interface 5632 192.168.1.13 5632 netmask 255.255.255.255 static (inside,outside) tcp interface ssh 192.168.1.13 ssh netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.1.9 www netmask 255.255.255.255 static (inside,outside) 10.0.33.0 access-list VPN_NAT dns static (inside,outside) 10.0.3.0 10.0.3.0 netmask 255.255.255.0 dns static (inside,outside) 192.168.151.0 access-list nat_exempt dns static (inside,inside) 192.168.151.0 192.168.151.0 netmask 255.255.255.0 dns static (inside,inside) 192.168.1.0 access-list U_TURN dns access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.15.90.174 1 route inside 192.168.151.0 255.255.255.0 RosemontRouter 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact sysopt noproxyarp inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 216.86.155.60 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto isakmp nat-traversal 1500 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 999 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes dns-server value 192.168.1.15 192.168.1.8 vpn-tunnel-protocol IPSec l2tp-ipsec username microtech password r1uIvMipDbYNFVjQrVBRBw== nt-encrypted tunnel-group 216.86.155.60 type ipsec-l2l tunnel-group 216.86.155.60 ipsec-attributes pre-shared-key ***** ! class-map u-turn match access-list u-turn class-map type inspect dns match-any testmap class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns class u-turn set connection advanced-options tcp-state-bypass policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:7f9d3eb8d201b7411e4e2434f4c537ba : end asdm image disk0:/asdm-702.bin asdm location RRouter 255.255.255.255 inside asdm location ERouter 255.255.255.255 inside no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide