Re: ASA Branch to Branch tunnel creation failures using OSPF at core site ASAs - unique scenario

gp1200x · ‎01-15-2020

I have multiple ASAs attached to a network core. The core controls all OSPF routing and provides the default route for all subnets. The ASAs at the core location participate in the OSPF routing and add their crypto remote subnets to the routing table along and update their routing tables from the core switch. Each of the ASAs has their own default route to the Internet and that overrides the default route published by the core switch. All remote site ASAs simply have a default route from the ISP and do not participate in the OSPF routing. The remote ASAs have a cypto map for interesting traffic that needs to reach the core subnets.

Here is a simplification of what I do....I pass voice and data to remote sites using a single ASA for both voice and data to a single ASA at the core switch...no issues and QOS works fairly well. For larger remote sites with heavy traffic we use two ASAs at a remote site and apply QOS to both still...one ASA goes to a voice ASA at the core site and one ASA goes to a data ASA at the core site...again no issues and works well. For remote sites with a single ASA the ISP provides the external IP using DHCP and the remote site always originates the branch to branch tunnel.
Here is where my issue is now. At some sites I want to use a single ASA for both voice and data but instead of having a single crypto to an ASA at the core for both voice and data traffic, I wanted to have two separate crypto maps to send voice to a voice ASA at the core and one crypto map to send data to a data ASA at the core. But when I create the crypto maps something different takes place in my routing. For some reason the remote site's external IP address is being imported into the core routing table at the core switch. Since I am trying to create to separate crypto tunnels via two distinct ASAs at the core, one of the tunnels will fail. This is because at the core one of the ASAs will think it needs to go back internally to reach the outside address of the remote ASA since it imported the route from the core switch, which had imported the route to the remote sites external IP address from the first ASA that had completed a tunnel to the remote site.
Now here is the weird issue. The external IP address of a remote site is never in the core routing table when ONLY one crypto map is created on the remote ASA. It is only when I add a second crypto map to another different ASA that this issue pops up. And it is reproducable over and over...not a fluke. As an example I show the two different cryptos below.
Below is the remote site ASA crypto map for connecting to a single ASA at the core location - the remote site ASAs' external IP address is never seen in the routing tables at the core location
crypto map DCNY 10 match address OCIS
crypto map DCNY 10 set pfs group5
crypto map DCNY 10 set connection-type originate-only
crypto map DCNY 10 set peer 173.150.173.125 173.150.173.123
crypto map DCNY 10 set transform-set MAX
crypto map DCNY 10 set security-association lifetime seconds 86300
crypto map DCNY 10 set security-association lifetime kilobytes 4608000
crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY
crypto map DCNY interface outside
crypto isakmp identity address
crypto isakmp enable outside

Below is the same remote site but now trying to create two separate tunnels to two different ASAs at the core location....failure occurs...now the remote site ASAs' external IP address is imported into the cores routing table when the first branch to branch tunnel is made.....so only one tunnel will complete successfully so this scenario fails. The peers are addresses at the core location via different core ASAs.
crypto map DCNY 9 match address OCIS-Voice
crypto map DCNY 9 set pfs group5
crypto map DCNY 9 set connection-type originate-only
crypto map DCNY 9 set peer 105.40.157.26 105.40.157.27
crypto map DCNY 9 set transform-set MAX
crypto map DCNY 9 set security-association lifetime seconds 86300
crypto map DCNY 9 set security-association lifetime kilobytes 4608000
crypto map DCNY 10 match address OCIS-DATA
crypto map DCNY 10 set pfs group5
crypto map DCNY 10 set connection-type originate-only
crypto map DCNY 10 set peer 174.250.171.125 175.50.171.123 204.130.200.200
crypto map DCNY 10 set transform-set MAX
crypto map DCNY 10 set security-association lifetime seconds 86300
crypto map DCNY 10 set security-association lifetime kilobytes 4608000
crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY
crypto map DCNY interface outside

Any ideas would be helpful...thanks

Georg Pauwen · ‎01-16-2020

Hello,

--> For some reason the remote site's external IP address is being imported into the core routing table at the core switch.

With 'external' you mean what, the public IP address of the remote site ? What are you advertising into OSPF at the remote site ?

Post the configs of the core and remote site ASAs...

gp1200x · ‎01-16-2020

Yes I mean the public IP address of the remote ASA is being imported into the routing table of the core ASA and then pushed to the core switch for distribution. Remote ASAs do not run any routing protocol. They use DHCP and obtain their IP and default route from the ISP.

Core ASA config

!
hostname ASA-DC1
domain-name dcny.gov
enable password 8CM8MUrMx35VJZSB encrypted
passwd 8CM8MUrMx35VJZSB encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 17.100.171.125 255.255.255.0
ospf cost 800
ospf authentication-key OCIS
ospf database-filter all out
ospf authentication
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.42.199.150 255.255.255.240
ospf cost 100
ospf authentication-key OCIS
ospf authentication
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner exec
banner exec
banner exec WARNING: Configuration changes are dynamic!
banner exec
banner exec WARNING: Violators are subject to dismissal and prosecution.
banner exec
banner login
banner login ****************************************************************
banner login * WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *
banner login ************************************************************
banner login * Access to and use of this device and/or other devices is *
banner login * restricted to authorized users only. Unauthorized *
banner login * individuals attempting to access this device may be *
banner login * subject to prosecution. *
banner login ************************************************************
banner login
boot system disk0:/asa825-59-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
retries 10
name-server 10.42.196.36
name-server 4.2.2.1
domain-name dcny.gov
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list External_in remark "External packets allowed in"
access-list External_in extended permit icmp any any echo-reply
access-list External_in extended permit icmp any any unreachable
access-list External_in extended permit icmp any any time-exceeded
access-list External_in extended permit icmp any any source-quench
access-list Internal_out remark "Allow outbound traffic"
access-list Internal_out extended permit ip any 10.0.0.0 255.0.0.0
access-list Internal_out extended permit ip any 172.22.0.0 255.255.0.0
access-list Internal_out extended permit udp any any eq biff
access-list Internal_out extended permit tcp any any eq pop3
access-list Internal_out extended permit tcp any any eq smtp
access-list Internal_out extended permit tcp any any eq https
access-list Internal_out extended permit tcp any any eq www
access-list Internal_out extended permit tcp any any eq domain
access-list Internal_out extended permit udp any any eq domain
access-list Internal_out extended permit tcp any any eq ftp
access-list Internal_out extended permit tcp any any eq ftp-data
access-list Internal_out extended permit tcp any any eq telnet
access-list Internal_out extended permit icmp any any
access-list Internal_out extended permit tcp any any gt 1024
access-list Internal_out extended permit udp any any gt 1024
access-list Internal_out extended permit tcp any any eq 465
access-list Internal_out extended permit tcp any any eq 993
access-list Internal_out extended permit tcp any any eq 995
access-list Internal_out extended permit tcp any any eq imap4
access-list Internal_out extended permit tcp any any eq ssh
access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip any 172.22.0.0 255.255.0.0
access-list NONAT extended permit ip any 192.168.0.0 255.255.0.0
access-list SPLIT-TUNNEL remark "From secure network to VPN user"
access-list SPLIT-TUNNEL extended permit ip 10.0.0.0 255.0.0.0 any
access-list SPLIT-TUNNEL extended permit ip 172.22.0.0 255.255.0.0 any
access-list 999 extended permit ip any 172.22.0.0 255.255.0.0
access-list 999 extended permit ip 172.22.0.0 255.255.0.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging asdm-buffer-size 512
logging console emergencies
logging monitor emergencies
logging buffered debugging
logging trap emergencies
logging history informational
logging asdm emergencies
logging facility 21
logging device-id hostname
no logging message 106023
no logging message 401004
mtu outside 1500
mtu inside 1500
ip local pool vpn-pool 10.42.199.151
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name idsattack attack action alarm drop reset
ip audit name idsinfo info action alarm
ip audit interface outside idsinfo
ip audit interface outside idsattack
ip audit interface inside idsinfo
ip audit interface inside idsattack
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any echo-reply inside
icmp permit any unreachable inside
icmp permit any echo inside
icmp permit any time-exceeded inside
asdm image disk0:/asdm-761.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group External_in in interface outside
access-group Internal_out in interface inside
!
router ospf 100
router-id 10.42.199.150
network 10.0.0.0 255.0.0.0 area 0
log-adj-changes
redistribute static metric 111 subnets
!
route outside 0.0.0.0 0.0.0.0 173.50.171.1 1
route inside 0.0.0.0 0.0.0.0 10.42.199.145 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.42.196.238 community sico
snmp-server host inside 10.42.202.140 community sico
snmp-server location ASA-DC1
snmp-server contact Grant Hait
snmp-server community sico
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt connection preserve-vpn-flows
auth-prompt prompt Please provide proper credentials for Authentication.
auth-prompt accept Thank you. Your credentials have been verified for access.
auth-prompt reject Rejected! Your credentials are invalid.
service resetinbound
service resetoutside
crypto ipsec transform-set MAX esp-aes-256 esp-sha-hmac
crypto ipsec transform-set MED esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86300
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-DCNY 40 set pfs group5
crypto dynamic-map DYN-DCNY 40 set transform-set MAX
crypto dynamic-map DYN-DCNY 40 set security-association lifetime seconds 86300
crypto dynamic-map DYN-DCNY 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-DCNY 40 set reverse-route
crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY
crypto map DCNY interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh scopy enable
ssh 100.40.222.0 255.255.255.240 outside
ssh 204.130.200.0 255.255.255.0 outside
ssh 100.40.157.24 255.255.255.248 outside
ssh 173.50.171.0 255.255.255.192 outside
ssh 64.72.67.128 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 10
console timeout 30
management-access inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.42.199.145 source inside prefer
tftp-server inside 10.42.205.106 /
webvpn
group-policy ocisadmingroup internal
group-policy ocisadmingroup attributes
dns-server none
vpn-idle-timeout 60
vpn-session-timeout 480
vpn-tunnel-protocol IPSec
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username dutchess password izZSjKs6QEroqcJJ encrypted privilege 15
username verizon password mmJzopA9lPGcK6W6 encrypted privilege 15
username 412eb8a0 password 0SRHIJRFeU2QiC00 encrypted privilege 15
username pwalker password 0Ja1AJcVnhJ8TNwh encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 10
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key DCNY#131485506#OCIS
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group ocisadmingroup type remote-access
tunnel-group ocisadmingroup general-attributes
address-pool vpn-pool
authentication-server-group (outside) LOCAL
default-group-policy ocisadmingroup
tunnel-group ocisadmingroup ipsec-attributes
pre-shared-key DCNY#131485506#OCIS
isakmp keepalive threshold 20 retry 3
!
class-map Voice
class-map VOIP-TRAFFIC
match access-list 999
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
id-randomization
id-mismatch action log
policy-map QOS-TRAFFIC-OUT
class VOIP-TRAFFIC
class class-default
shape average 35000000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect ctiqbe
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect pptp
inspect snmp
inspect ip-options
policy-map tets
class Voice
policy-map PRIORITY-POLICY
class VOIP-TRAFFIC
priority
!
service-policy global_policy global
privilege cmd level 1 mode exec command disable
privilege cmd level 10 mode exec command ping
privilege show level 10 mode exec command running-config
privilege show level 10 mode exec command capture
privilege show level 2 mode exec command interface
privilege show level 2 mode exec command ip
privilege show level 10 mode exec command isakmp
privilege show level 10 mode exec command ipsec
privilege show level 2 mode exec command blocks
privilege show level 2 mode configure command interface
privilege show level 10 mode configure command logging
privilege show level 2 mode configure command ip
privilege show level 10 mode configure command isakmp
privilege show level 10 mode configure command ipsec
prompt hostname context
no call-home reporting anonymous

Remote site ASA config

hostname HEALTH-MSt

domain-name dcny.gov

enable password 8CM8MUrMx35VJZSB encrypted

passwd 8CM8MUrMx35VJZSB encrypted

names

!

interface Ethernet0/0

description outside

switchport access vlan 500

!

interface Ethernet0/1

description Data

switchport access vlan 10

!

interface Ethernet0/2

description Data

switchport access vlan 10

!

interface Ethernet0/3

description Data

switchport access vlan 10

!

interface Ethernet0/4

description Wireless

switchport access vlan 10

!

interface Ethernet0/5

description Voice

switchport access vlan 10

!

interface Ethernet0/6

description Voice

switchport access vlan 172

!

interface Ethernet0/7

description Voice

switchport access vlan 172

!

interface Vlan10

nameif Data

security-level 100

ip address 10.42.198.145 255.255.255.248

!

interface Vlan172

nameif Voice

security-level 100

ip address 172.22.198.145 255.255.255.248

!

interface Vlan500

nameif outside

security-level 0

dhcp client update dns

ip address 100.40.222.10 255.255.255.0

!

banner exec

banner exec WARNING: Configuration changes are dynamic!

banner exec

banner login

banner login ************************************************************

banner login * WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *

banner login ************************************************************

banner login * Access to and use of this device and/or other devices is *

banner login * restricted to authorized users only. Unauthorized *

banner login * individuals attempting to access this device may be *

banner login * subject to prosecution. *

banner login ************************************************************

banner login

boot system disk0:/asa825-59-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

retries 10

domain-name dcny.gov

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list External_in remark "External packets allowed in"

access-list External_in extended permit icmp any any echo-reply

access-list External_in extended permit icmp any any unreachable

access-list External_in extended permit icmp any any time-exceeded

access-list External_in extended permit icmp any any source-quench

access-list OCIS remark "Packet for VPN tunnel"

access-list OCIS extended deny ip any host 10.42.198.150

access-list OCIS extended deny ip host 10.42.198.150 any

access-list OCIS extended permit ip 172.22.198.144 255.255.255.248 any

access-list OCIS extended permit ip 10.42.198.144 255.255.255.248 any

access-list OCIS-Voice extended permit ip 172.22.198.144 255.255.255.248 any

access-list OCIS-Data remark "Packet for VPN tunnel"

access-list OCIS-Data extended deny ip any host 10.42.198.150

access-list OCIS-Data extended deny ip host 10.42.198.150 any

access-list OCIS-Data extended permit ip 10.42.198.144 255.255.255.248 any

access-list NONAT remark "Packets not natted"

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0

access-list NONAT extended permit ip any 172.22.0.0 255.255.0.0

access-list NONAT extended permit ip any 192.168.0.0 255.255.0.0

access-list NONAT remark "Packets not natted"

access-list tcp-traffic extended permit tcp any any

access-list tg-nonVoice-out extended permit ip 10.42.198.144 255.255.255.248 any

access-list tg-nonVoice-out extended permit ip 172.22.198.144 255.255.255.248 an y

access-list tg-nonVoice-in extended permit ip any 10.42.198.144 255.255.255.248

access-list tg-nonVoice-in extended permit ip any 172.22.198.144 255.255.255.248

access-list IP-ANY extended permit ip any any

access-list Voice-In extended permit ip any 172.22.198.144 255.255.255.248

pager lines 24

logging timestamp

logging asdm-buffer-size 512

logging console debugging

logging monitor emergencies

logging buffered emergencies

logging trap emergencies

logging history emergencies

logging asdm emergencies

logging facility 21

logging device-id hostname

no logging message 106023

no logging message 401004

mtu Data 1500

mtu Voice 1500

mtu outside 1500

ip local pool vpn-pool 10.42.198.150

ip verify reverse-path interface outside

ip audit name idsattack attack action alarm drop reset

ip audit name idsinfo info action alarm

ip audit interface Data idsinfo

ip audit interface Data idsattack

ip audit interface Voice idsinfo

ip audit interface Voice idsattack

ip audit interface outside idsinfo

ip audit interface outside idsattack

ip audit info action alarm drop reset

ip audit attack action alarm drop reset

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply Data

icmp permit any unreachable Data

icmp permit any echo Data

icmp permit any time-exceeded Data

icmp permit any echo-reply Voice

icmp permit any unreachable Voice

icmp permit any echo Voice

icmp permit any time-exceeded Voice

icmp permit any unreachable outside

icmp permit any echo-reply outside

asdm image disk0:/asdm-771-150.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (Data) 0 access-list NONAT

nat (Data) 1 10.42.198.144 255.255.255.248

nat (Voice) 0 access-list NONAT

nat (Voice) 1 172.22.198.144 255.255.255.248

access-group External_in in interface outside

route outside 0.0.0.0 0.0.0.0 100.40.222.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Data

http 10.0.0.0 255.0.0.0 Data

snmp-server location DACC

snmp-server contact Grant Hait

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

sysopt connection preserve-vpn-flows

auth-prompt prompt Please provide proper credentials for Authentication.

auth-prompt accept Thank you. Your credentials have been verified for access.

auth-prompt reject Rejected! Your credentials are invalid.

service resetinbound

service resetoutside

crypto ipsec transform-set MAX esp-aes-256 esp-sha-hmac

crypto ipsec transform-set MED esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86300

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay window-size 1024

crypto dynamic-map DYN-DCNY 40 set pfs group5

crypto dynamic-map DYN-DCNY 40 set transform-set MAX

crypto dynamic-map DYN-DCNY 40 set security-association lifetime seconds 86300

crypto dynamic-map DYN-DCNY 40 set security-association lifetime kilobytes 46080 00

crypto map DCNY 5 match address OCIS-Data

crypto map DCNY 5 set pfs group5

crypto map DCNY 5 set connection-type originate-only

crypto map DCNY 5 set peer 17.100.171.125

crypto map DCNY 5 set transform-set MAX

crypto map DCNY 5 set security-association lifetime seconds 86300

crypto map DCNY 5 set security-association lifetime kilobytes 4608000

crypto map DCNY 9 match address OCIS-Voice

crypto map DCNY 9 set pfs group5

crypto map DCNY 9 set connection-type originate-only

crypto map DCNY 9 set peer 100.50.157.55

crypto map DCNY 9 set transform-set MAX

crypto map DCNY 9 set security-association lifetime seconds 86300

crypto map DCNY 9 set security-association lifetime kilobytes 4608000

crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY

crypto map DCNY interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

crypto isakmp ipsec-over-tcp port 10000

crypto isakmp disconnect-notify

telnet 0.0.0.0 0.0.0.0 Data

telnet 0.0.0.0 0.0.0.0 Voice

telnet timeout 10

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 Data

ssh 0.0.0.0 0.0.0.0 Voice

ssh 100.40.222.0 255.255.255.240 outside

ssh 204.130.200.0 255.255.255.0 outside

ssh 100.40.157.24 255.255.255.248 outside

ssh 173.50.171.0 255.255.255.192 outside

ssh 64.72.67.128 255.255.255.224 outside

ssh timeout 10

console timeout 30

management-access Data

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd lease 28800

dhcpd ping_timeout 2000

dhcpd domain dcny.info

!

dhcpd address 10.42.198.147-10.42.198.149 Data

dhcpd dns 10.42.196.36 10.42.192.92 interface Data

dhcpd wins 10.42.196.36 10.42.192.92 interface Data

dhcpd lease 86400 interface Data

dhcpd ping_timeout 2000 interface Data

dhcpd domain dcny.gov interface Data

dhcpd enable Data

!

dhcpd address 172.22.198.147-172.22.198.150 Voice

dhcpd dns 10.42.196.36 10.42.192.92 interface Voice

dhcpd wins 10.42.196.36 10.42.192.92 interface Voice

dhcpd lease 86400 interface Voice

dhcpd ping_timeout 2000 interface Voice

dhcpd domain dcny.gov interface Voice

dhcpd option 150 ip 172.22.97.3 172.22.196.3 interface Voice

dhcpd enable Voice

!

priority-queue outside

queue-limit 938

tx-ring-limit 10

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200

ntp authenticate

ntp server 10.42.196.1 source Data prefer

tftp-server Data 10.42.205.106 /

webvpn

username dutchess password izZSjKs6QEroqcJJ encrypted privilege 15

username 412eb8a0 password 0SRHIJRFeU2QiC00 encrypted privilege 15

username pwalker password 0Ja1AJcVnhJ8TNwh encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 10

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *****