hi

Problem with P2P between 12.133.76.130 and 182.74.233.26 14.143.250.204

=============

Remote A

ASA Version 9.8(2)
!
hostname PlantationDataASA
enable password $sha512$5000$f+kzIxcfeSQulmc3Dtv/jQ==$EH4AmR07iOkj2yXYoPnrYQ== pbkdf2
names
ip local pool remote-vpn 192.168.39.100-192.168.39.200 mask 255.255.255.0
ip local pool Remotebackup 192.168.37.100-192.168.37.200 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 12.133.76.130 255.255.255.240
!
interface GigabitEthernet1/2
nameif outside2
security-level 0
ip address 50.192.171.25 255.255.255.248
!
PlantationDataASA(config-if)# sh run
: Saved

:
: Serial Number: JAD221009QY
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname PlantationDataASA
enable password $sha512$5000$f+kzIxcfeSQulmc3Dtv/jQ==$EH4AmR07iOkj2yXYoPnrYQ== pbkdf2
names
ip local pool remote-vpn 192.168.39.100-192.168.39.200 mask 255.255.255.0
ip local pool Remotebackup 192.168.37.100-192.168.37.200 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 12.133.76.130 255.255.255.240
!
interface GigabitEthernet1/2
nameif outside2
security-level 0
ip address 50.192.171.25 255.255.255.248
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
description TestInterface
nameif inside7
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface GigabitEthernet1/8
nameif inside1
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 10
ip address 192.168.1.1 255.255.255.0
!
banner motd Welcome to Chetu Inc.
ftp mode passive
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.3.0_24
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.39.0_24
subnet 192.168.39.0 255.255.255.0
object network NETWORK_OBJ_192.168.37.0_24
subnet 192.168.37.0 255.255.255.0
object network Floor154
subnet 172.16.8.0 255.255.248.0
object network URbkupSVR-out
host 12.133.76.133
object network URbkupSVR-in
host 192.168.3.48
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.25.0_24
subnet 192.168.25.0 255.255.255.0
object network Plant-Network
subnet 192.168.3.0 255.255.255.0
object network CRM-Svr-out
host 12.133.76.134
object network CRM-Svr-in
host 192.168.3.41
object network Floor154-FF
subnet 172.16.16.0 255.255.248.0
object network VPN-Network-India
subnet 192.168.5.0 255.255.255.0
object network India-VPNuser
subnet 192.168.5.0 255.255.255.0
object-group network A186-All-floors+DMZ
network-object 192.168.12.0 255.255.252.0
network-object 172.16.0.0 255.255.248.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.42.0 255.255.255.0
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp any object URbkupSVR-in eq 55415
access-list 10 extended permit tcp any object CRM-Svr-in eq www
access-list 10 extended permit tcp any object CRM-Svr-in eq https
access-list outside_cryptomap_4 extended permit ip object NETWORK_OBJ_192.168.3.0_24 object-group A186-All-floors+DMZ
access-list outside_cryptomap_4 extended permit ip object Plant-Network object India-VPNuser
access-list Plan-vpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list 11 extended permit icmp any any
access-list 11 extended permit icmp any any echo-reply
access-list 11 extended permit icmp any any unreachable
access-list 11 extended permit icmp any any time-exceeded
access-list Remote-Backup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object Floor154
access-list outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object Floor154-FF
access-list Newvpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.3.0 255.255.255.0 object NETWORK_OBJ_192.168.25.0_24
pager lines 24
logging asdm informational
mtu outside 1500
mtu outside2 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside7 1500
mtu inside1 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside1,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.39.0_24 NETWORK_OBJ_192.168.39.0_24 no-proxy-arp route-lookup
nat (inside1,outside2) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.39.0_24 NETWORK_OBJ_192.168.39.0_24 no-proxy-arp route-lookup
nat (inside1,outside2) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.37.0_24 NETWORK_OBJ_192.168.37.0_24 no-proxy-arp route-lookup
nat (inside1,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static Floor154 Floor154 no-proxy-arp route-lookup
nat (inside1,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static A186-All-floors+DMZ A186-All-floors+DMZ no-proxy-arp route-lookup
nat (inside1,outside2) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static A186-All-floors+DMZ A186-All-floors+DMZ no-proxy-arp route-lookup
nat (inside1,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.25.0_24 NETWORK_OBJ_192.168.25.0_24 no-proxy-arp route-lookup
nat (inside1,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static Floor154-FF Floor154-FF no-proxy-arp route-lookup
nat (inside1,outside) source static Plant-Network Plant-Network destination static India-VPNuser India-VPNuser no-proxy-arp route-lookup
nat (inside1,outside2) source static Plant-Network Plant-Network destination static India-VPNuser India-VPNuser no-proxy-arp route-lookup
nat (inside1,outside2) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static Floor154-FF Floor154-FF no-proxy-arp route-lookup
!
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network URbkupSVR-in
nat (inside1,outside) static URbkupSVR-out
object network Plant-Network
nat (inside1,outside) dynamic interface
object network CRM-Svr-in
nat (inside1,outside) static CRM-Svr-out
!
nat (inside1,outside2) after-auto source dynamic any interface
access-group 10 in interface outside
access-group 11 in interface outside2
route outside 0.0.0.0 0.0.0.0 12.133.76.129 1 track 100
route outside2 0.0.0.0 0.0.0.0 50.192.171.30 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.3.0 255.255.255.0 inside1
http 182.74.233.26 255.255.255.255 outside
http 192.168.8.0 255.255.255.0 inside7
http 182.74.233.26 255.255.255.255 outside2
http 103.42.91.34 255.255.255.255 outside
snmp-server host inside1 192.168.12.30 community ***** version 2c
snmp-server location Florida
snmp-server contact itsupport@chetu.com
snmp-server community *****
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set India esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal India-2
protocol esp encryption aes-192 3des
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap_4
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 182.74.233.26 14.143.250.204
crypto map outside_map 1 set ikev1 transform-set India
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 103.42.91.34
crypto map outside_map 2 set ikev1 transform-set India
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 90.145.234.99
crypto map outside_map 3 set ikev1 transform-set India
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map interface outside2
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable outside2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
track 100 rtr 1 reachability
telnet 192.168.8.0 255.255.255.0 inside7
telnet 192.168.3.0 255.255.255.0 inside1
telnet 192.168.12.0 255.255.252.0 inside1
telnet timeout 30
ssh stricthostkeycheck
ssh 182.74.233.26 255.255.255.255 outside
ssh 103.42.91.34 255.255.255.255 outside
ssh 14.143.250.204 255.255.255.255 outside
ssh 182.74.233.26 255.255.255.255 outside2
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside1

dhcpd ping_timeout 750
dhcpd domain chetu.com
dhcpd auto_config outside
!
dhcpd address 192.168.3.51-192.168.3.250 inside1
dhcpd dns 192.168.3.40 8.8.8.8 interface inside1
dhcpd enable inside1
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_90.145.234.99 internal
group-policy GroupPolicy_90.145.234.99 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_182.74.233.26 internal
group-policy GroupPolicy_182.74.233.26 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_103.42.91.34 internal
group-policy GroupPolicy_103.42.91.34 attributes
vpn-tunnel-protocol ikev1
group-policy Remote-Backup internal
group-policy Remote-Backup attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-Backup_splitTunnelAcl
group-policy Newvpn internal
group-policy Newvpn attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Newvpn_splitTunnelAcl
group-policy Plan-vpn internal
group-policy Plan-vpn attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Plan-vpn_splitTunnelAcl
dynamic-access-policy-record DfltAccessPolicy
username barbarap password $sha512$5000$GVsbbpgc0+f2hs6kpiMj6g==$NLgDu132UMEDj47qqRe+9w== pbkdf2
username barbarap attributes
vpn-group-policy Plan-vpn
username atalb password $sha512$5000$mTFa8M6uWXOgPASf9PvNtQ==$W59cs+eAr57DpTHaoamBWw== pbkdf2 privilege 5
username atalb attributes
vpn-group-policy Plan-vpn
username odhral password $sha512$5000$XnVvs6H3ZnP/Qu1hjn/gJA==$Ue77kXOHgTGDHHyCfX80bw== pbkdf2 privilege 3
username amardeepk password $sha512$5000$JCc2TrYvUwvZ2OYbRnPRhg==$f/ctmVaVSmmkg11AaCLLTw== pbkdf2 privilege 15
username amardeepk attributes
vpn-group-policy Plan-vpn
username itsupport password $sha512$5000$h5msRJwkDXcTvBzUi/zQ+A==$yCWafWV5rqvbu0ODtCV7/A== pbkdf2 privilege 15
tunnel-group 182.74.233.26 type ipsec-l2l
tunnel-group 182.74.233.26 general-attributes
default-group-policy GroupPolicy_182.74.233.26
tunnel-group 182.74.233.26 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 10
tunnel-group Plan-vpn type remote-access
tunnel-group Plan-vpn general-attributes
address-pool remote-vpn
default-group-policy Plan-vpn
tunnel-group Plan-vpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Remote-Backup type remote-access
tunnel-group Remote-Backup general-attributes
address-pool Remotebackup
default-group-policy Remote-Backup
tunnel-group Remote-Backup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 103.42.91.34 type ipsec-l2l
tunnel-group 103.42.91.34 general-attributes
default-group-policy GroupPolicy_103.42.91.34
tunnel-group 103.42.91.34 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 14.143.250.204 type ipsec-l2l
tunnel-group 14.143.250.204 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Newvpn type remote-access
tunnel-group Newvpn general-attributes
address-pool remote-vpn
default-group-policy Newvpn
tunnel-group Newvpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 90.145.234.99 type ipsec-l2l
tunnel-group 90.145.234.99 general-attributes
default-group-policy GroupPolicy_90.145.234.99
tunnel-group 90.145.234.99 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a4494a985cd3a799a6b9c6416da5f02b
: end
=================================================================================
remot - B

access-list outside_cryptomap extended permit ip object internal_net object Plantation_Data
access-list outside_cryptomap extended permit ip object-group Plan-DMZ 192.168.3.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group REMOTE-SITES object Plantation_Data
access-list outside_cryptomap extended permit ip object VPN-Internet object Plantation_Data

nat (inside,outside) source static internal_net internal_net destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static Nashville_network Nashville_network
nat (inside,outside) source static internal_net internal_net destination static Plantation_Voice Plantation_Voice no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static Tampa Tampa no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static MCS MCS no-proxy-arp route-lookup
nat (inside,DMZ) source static exchange-internal exchange-internal service OBJ-TCP-SMTP OBJ-TCP-SMTP
nat (inside,outside) source static 172_subnet 172_subnet destination static Chicago_network Chicago_network no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static Chicago_network Chicago_network no-proxy-arp route-lookup
nat (inside,outside) source static 172_subnet 172_subnet destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24
nat (inside,outside) source static internal_net internal_net destination static IndiaVoice IndiaVoice
nat (inside,DMZ) source static OBJ_Data-Prod-80 OBJ_Data-Prod-80 service OBJ-TCP-80 OBJ-TCP-80
nat (inside,outside) source static NETWORK_OBJ_192.168.12.0_22 NETWORK_OBJ_192.168.12.0_22 destination static Plantation_Voice Plantation_Voice no-proxy-arp route-lookup
nat (inside,DMZ) source static OBJ_192.168.12.127 OBJ_192.168.12.127 service OBJ-TCP-809 OBJ-TCP-809
nat (inside,outside) source static NETWORK_OBJ_192.168.12.0_22 NETWORK_OBJ_192.168.12.0_22 destination static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static REMOTE-SITES REMOTE-SITES destination static Plantation_Data Plantation_Data no-proxy-arp route-lookup
nat (inside,outside) source static REMOTE-SITES REMOTE-SITES destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (DMZ,outside) source static Plan-DMZ Plan-DMZ destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
nat (DMZ,outside) source static Plan-DMZ Plan-DMZ destination static AllOffices-DMZ AllOffices-DMZ
nat (inside,DMZ) source static dbprod dbprod service OBJ-TCP-1434 OBJ-TCP-1434
nat (inside,DMZ) source static dbprod dbprod
nat (outside,outside) source static internal_net internal_net destination static NETWORK_OBJ_172.16.15.192_27 NETWORK_OBJ_172.16.15.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static NETWORK_OBJ_192.168.68.192_27 NETWORK_OBJ_192.168.68.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static NETWORK_OBJ_192.168.25.0_24 NETWORK_OBJ_192.168.25.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static Plantation_Data Plantation_Data no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.12.0_22 NETWORK_OBJ_192.168.12.0_22 destination static Plantation_Data Plantation_Data no-proxy-arp route-lookup
nat (inside,Backup-isp) source static internal_net internal_net destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static Dallas Dallas no-proxy-arp route-lookup
nat (inside,Backup-isp) source static NETWORK_OBJ_192.168.12.0_22 NETWORK_OBJ_192.168.12.0_22 destination static P2P-AllOffices P2P-AllOffices no-proxy-arp route-lookup
nat (inside,Backup-isp) source static GF-Floor GF-Floor destination static P2P-AllOffices P2P-AllOffices no-proxy-arp route-lookup
nat (inside,outside) source static GF-Floor GF-Floor destination static P2P-AllOffices P2P-AllOffices no-proxy-arp route-lookup
nat (inside,outside) source static internal_net internal_net destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (DMZ,outside) source static Plan-DMZ Plan-DMZ destination static VPN-Internet VPN-Internet no-proxy-arp route-lookup
nat (VMZ,outside) source static Plan-VMZ Plan-VMZ destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24
nat (inside,outside) source static internal_net internal_net destination static H-6-Floors H-6-Floors no-proxy-arp route-lookup
nat (inside,outside) source static All-Floors-186 All-Floors-186 destination static H-6-Floors H-6-Floors no-proxy-arp route-lookup
nat (DMZ,outside) source static Plan-DMZ Plan-DMZ destination static H-6-Floors H-6-Floors no-proxy-arp route-lookup
nat (VMZ,outside) source static Plan-VMZ Plan-VMZ destination static H-6-Floors H-6-Floors no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static Plantation_Data Plantation_Data no-proxy-arp route-lookup
nat (inside,Backup-isp) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static Plantation_Data Plantation_Data no-proxy-arp route-lookup

object network exchange-internal
nat (inside,outside) static exchange-out
object network lync-internal
nat (inside,outside) static lync-out
object network obj_any
nat (inside,outside) dynamic interface
object network webserver-dmz
nat (DMZ,outside) static webserver-out
object network demo_network
nat (DMZ,outside) dynamic interface
object network chetuftp-in
nat (DMZ,outside) static chetuftp-out
object network MCS-Nagios-In
nat (DMZ,outside) static MCS-Nagios-out
object network Lync2013-IN
nat (inside,outside) static Lync2013-Out
object network newwebserver-in
nat (DMZ,outside) static newwebserver-out
object network newstagingdmz-in
nat (DMZ,outside) static newstagingdmz-out
object network office365-in
nat (inside,outside) static office365-out
object network McAfee-in
nat (inside,outside) static McAfee-out
object network chetustaging-in
nat (DMZ,outside) static chetustaging-out
object network ConcenterServices-in
nat (DMZ,outside) static ConcenterServices-out
object network TATA-Airtel
nat (TATA,outside) dynamic interface
object network Asterisk-In
nat (inside,outside) static Asterisk-Out
object network ChetuCloud-In
nat (DMZ,outside) static ChetuCloud-Out
object network LonestarTechnology-In
nat (DMZ,outside) static LonestarTechnology-Out
object network PlanetPayment-In
nat (VMZ,outside) static 182.74.239.21 service tcp www www
object network vmz-subnet
nat (VMZ,outside) dynamic interface
object network exchangeTATA-in
nat (inside,Backup-isp) static exchangeTATA-out
object network obj_any1
nat (inside,Backup-isp) dynamic interface
object network HaloInnovativeSolution-In
nat (VMZ,outside) static 182.74.239.21 service tcp 8449 8449
object network Qubechain-BLCH-In
nat (VMZ,outside) static 182.74.239.21 service tcp 9090 9090
object network smokefree-in
nat (VMZ,outside) static smokefree-out
object network PelzGolf-In
nat (VMZ,outside) static 182.74.239.21 service tcp 81 81
object network PelzGolf-In8000
nat (VMZ,outside) static 182.74.239.21 service tcp 8000 8000
object network DelucaAndHartman-In
nat (VMZ,outside) static 182.74.239.21 service tcp 85 85
object network Topofmindnetworks-In
nat (VMZ,outside) static 182.74.239.21 service tcp 86 86
object network SecureCheckCashing-In
nat (VMZ,outside) static 182.74.239.21 service tcp 8400 8400
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,Backup-isp) after-auto source dynamic any interface
access-group 10 in interface outside
access-group dmz in interface DMZ
access-group 11 in interface Backup-isp
access-group vmz in interface VMZ
route outside 0.0.0.0 0.0.0.0 182.74.233.25 1 track 100
route Backup-isp 0.0.0.0 0.0.0.0 14.143.250.201 2
route outside 14.143.250.203 255.255.255.255 182.74.233.25 1
route inside 172.16.0.0 255.255.248.0 192.168.14.150 1
route inside 172.16.8.0 255.255.248.0 192.168.14.150 1
route inside 172.16.16.0 255.255.248.0 192.168.14.150 1
route inside 172.16.24.0 255.255.248.0 192.168.14.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map OutDoorMap
map-name memberOf Group-Policy
map-value memberOf CN=OutDoor-Policy,CN=Users,DC=exchange04,DC=chetu,DC=com OutPolicy1
dynamic-access-policy-record DfltAccessPolicy
aaa-server mobileteam protocol radius
aaa-server mobileteam (inside) host 192.168.12.16
timeout 5
key *****
radius-common-pw *****
aaa-server Remote protocol radius
aaa-server Remote (inside) host 192.168.12.16
timeout 5
key *****
aaa-server OutDoor-Policy protocol ldap
aaa-server OutDoor-Agent protocol radius
ad-agent-mode
aaa-server AmarRemote protocol radius
aaa-server AmarRemote (outside) host 192.168.12.16
timeout 5
key *****
user-identity domain CHETU aaa-server OutDoor-Policy
user-identity default-domain CHETU
user-identity action ad-agent-down disable-user-identity-rule
user-identity action netbios-response-fail remove-user-ip
user-identity logout-probe netbios local-system
user-identity ad-agent active-user-database on-demand
user-identity ad-agent aaa-server OutDoor-Agent
user-identity user-not-found enable
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.12.0 255.255.255.255 inside
http 192.168.8.0 255.255.248.0 inside
http 172.16.8.0 255.255.248.0 inside
http 172.16.0.0 255.255.248.0 inside
snmp-server host inside 192.168.12.30 community ***** version 2c udp-port 3302
snmp-server location B-112
snmp-server contact itsupport@chetu.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server listen-port 3301
sysopt connection preserve-vpn-flows
sla monitor 1
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set IPSeC-USA esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set USA esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Netherlands esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal USA2
protocol esp encryption aes-192 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal nether
protocol esp encryption des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal NewN
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec security-association lifetime kilobytes 32608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.133.76.130 50.192.171.25
crypto map outside_map 1 set ikev1 transform-set IPSeC-USA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 103.42.91.34
crypto map outside_map 2 set ikev1 transform-set IPSeC-USA
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 50.249.147.226
crypto map outside_map 3 set ikev1 transform-set IPSeC-USA
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 50.192.171.29 12.133.76.132
crypto map outside_map 4 set ikev1 transform-set IPSeC-USA
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 47.206.14.122
crypto map outside_map 5 set ikev1 transform-set IPSeC-USA
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 24.120.173.56
crypto map outside_map 6 set ikev1 transform-set IPSeC-USA
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 47.190.55.112
crypto map outside_map 7 set ikev1 transform-set USA
crypto map outside_map 9 match address outside_cryptomap_8
crypto map outside_map 9 set pfs
crypto map outside_map 9 set peer 50.247.158.249
crypto map outside_map 9 set ikev1 transform-set IPSeC-USA
crypto map outside_map 10 match address outside_cryptomap_9
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 96.87.229.217
crypto map outside_map 10 set ikev1 transform-set USA
crypto map outside_map 11 match address outside_cryptomap_10
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer 90.145.234.99
crypto map outside_map 11 set ikev1 transform-set USA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map interface Backup-isp
crypto ikev2 policy 1
encryption 3des
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable Backup-isp
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
track 100 rtr 1 reachability
telnet 192.168.12.0 255.255.255.0 inside
telnet 192.168.8.0 255.255.255.0 inside
telnet 192.168.8.0 255.255.248.0 inside
telnet 172.16.0.0 255.255.248.0 inside
telnet 172.16.8.0 255.255.248.0 inside
telnet timeout 30
ssh timeout 50
console timeout 0
management-access inside
vpn-sessiondb max-other-vpn-limit 250
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 192.168.12.16 inside
dhcprelay enable VMZ
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
dns-server value 192.168.12.16
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.12.16
vpn-tunnel-protocol l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.12.16
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
split-dns value pdc.chetu.com
group-policy mobileteam internal
group-policy mobileteam attributes
dns-server value 192.168.12.16 192.168.12.31
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mobileteam_splitTunnelAcl
default-domain value chetu.com
split-dns none
group-policy GroupPolicy_50.247.158.249 internal
group-policy GroupPolicy_50.247.158.249 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_50.192.171.29 internal
group-policy GroupPolicy_50.192.171.29 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_90.145.234.99 internal
group-policy GroupPolicy_90.145.234.99 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_24.120.27.227 internal
group-policy GroupPolicy_24.120.27.227 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_96.87.229.217 internal
group-policy GroupPolicy_96.87.229.217 attributes
vpn-tunnel-protocol ikev1
split-dns none
group-policy GroupPolicy_50.249.147.226 internal
group-policy GroupPolicy_50.249.147.226 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_103.42.91.34 internal
group-policy GroupPolicy_103.42.91.34 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy_47.190.55.112 internal
group-policy GroupPolicy_47.190.55.112 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ssl-clientless
group-policy GroupPolicy_97.76.81.150 internal
group-policy GroupPolicy_97.76.81.150 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_12.133.76.130 internal
group-policy GroupPolicy_12.133.76.130 attributes
vpn-tunnel-protocol ikev1
group-policy Remote internal
group-policy Remote attributes
dns-server value 192.168.12.16 192.168.12.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
group-policy NewRemote internal
group-policy NewRemote attributes
dns-server value 192.168.12.16
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
username bhans password ou7YM0dovNQ8NfbJ encrypted privilege 15
username kamendrac password gDTMAkGjRAN1Jroo encrypted privilege 15
username amardeepk password d9+OahPTxnLzjkx1CCAAHQ== nt-encrypted privilege 15
username virendrag password 86r3X7LcMm1D1VhI encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
address-pool AmarRemote
address-pool test
default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group 12.133.76.130 type ipsec-l2l
tunnel-group 12.133.76.130 general-attributes
default-group-policy GroupPolicy_12.133.76.130
tunnel-group 12.133.76.130 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 10
tunnel-group 50.249.147.226 type ipsec-l2l
tunnel-group 50.249.147.226 general-attributes
default-group-policy GroupPolicy_50.249.147.226
tunnel-group 50.249.147.226 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 50.192.171.29 type ipsec-l2l
tunnel-group 50.192.171.29 type ipsec-l2l
tunnel-group 50.192.171.29 general-attributes
default-group-policy GroupPolicy_50.192.171.29
tunnel-group 50.192.171.29 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 47.206.14.122 type ipsec-l2l
tunnel-group 47.206.14.122 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 47.190.55.112 type ipsec-l2l
tunnel-group 47.190.55.112 general-attributes
default-group-policy GroupPolicy_47.190.55.112
tunnel-group 47.190.55.112 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group mobileteam type remote-access
tunnel-group mobileteam general-attributes
address-pool VPN_Pool
authentication-server-group mobileteam
default-group-policy mobileteam
tunnel-group mobileteam ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool VPN_Pool
authentication-server-group Remote
default-group-policy Remote
tunnel-group Remote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 103.42.91.34 type ipsec-l2l
tunnel-group 103.42.91.34 general-attributes
default-group-policy GroupPolicy_103.42.91.34
tunnel-group 103.42.91.34 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 50.247.158.249 type ipsec-l2l
tunnel-group 50.247.158.249 general-attributes
default-group-policy GroupPolicy_50.247.158.249
tunnel-group 50.247.158.249 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 96.87.229.217 type ipsec-l2l
tunnel-group 96.87.229.217 general-attributes
default-group-policy GroupPolicy_96.87.229.217
tunnel-group 96.87.229.217 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 24.120.173.56 type ipsec-l2l
tunnel-group 24.120.173.56 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group NewRemote type remote-access
tunnel-group NewRemote general-attributes
address-pool VPN_Pool
authentication-server-group mobileteam
default-group-policy NewRemote
tunnel-group NewRemote ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 50.192.171.25 type ipsec-l2l
tunnel-group 50.192.171.25 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 90.145.234.99 type ipsec-l2l
tunnel-group 90.145.234.99 general-attributes
default-group-policy GroupPolicy_90.145.234.99
tunnel-group 90.145.234.99 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match any
class-map cm-Block-Bandwidth
match access-list Block-Bandwidth
class-map type regex match-any CM_DomainsToBlock
match regex Domain2
match regex Domain4
match regex Domain5
match regex Domain6
match regex Domain7
match regex Domain8
match regex Domain9
match regex Domain10
match regex Domain11
match regex Domain12
match regex Domain13
match regex Domain17
match regex Domain15
match regex Domain1
match regex Domain3
class-map type inspect http match-all CM_HTTP
match request header host regex class CM_DomainsToBlock
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map MATCH-WINDOWS-UPDATE-SERVERS
match access-list WINDOWS-UPDATE-SERVERS
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method head
match not request method get
class-map httptraffic
match access-list inside_Block
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http PM_HTTP
parameters
class CM_HTTP
reset log
policy-map global_policy
description NetFlow-Policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect http PM_HTTP
class global-class
flow-export event-type all destination 192.168.11.88
class class-default
user-statistics accounting
policy-map Pm-Block-Bandwidth
class cm-Block-Bandwidth
police output 50000000 25000
police input 50000000 25000
policy-map POLICE-TRAFFIC
class MATCH-WINDOWS-UPDATE-SERVERS
police input 2097000
!
service-policy global_policy global
service-policy POLICE-TRAFFIC interface outside
service-policy Pm-Block-Bandwidth interface inside
smtp-server 192.168.12.10
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:2c335b27850d0017e1c80c708affd8ca
: end

Hello,

the config looks fine, although there are so many static NAT entries that I cannot determine if any of these cause the problem.

The easiest solution might be to just implement the EEM script below:

event manager applet CLEAR_SA
event track 1 state any
action 1 cli command "clear crypto ipsec sa peer x.x.x.x"

If I am understanding the situation correctly the issue experienced by the original poster is actually the expected behavior. The key to understanding this is in the approach used for failover:

crypto map outside_map 1 set peer 182.74.233.26 14.143.250.204

When the crypto map specifies 2 peer addresses the ASA will negotiate the crypto with the first peer. If that negotiation is successful there is not any negotiation with the second peer at that time. If the first peer goes out of service (or has some issue that impacts the crypto sessions) then the ASA will open negotiations with the second peer. If the negotiations are successful then crypto sessions are established with the second peer and the tunnel comes up and passes traffic. 

The thing to understand here is that failover for IPSec VPN is not like failover with a routing protocol. With a routing protocol you have a preferred path with a better metric and a backup path with a not as good metric. When the preferred  route fails then the backup path with the not as good metric is used. And when the better metric becomes available again the immediately the traffic comes back to the preferred path. It does not work that way with IPSec tunnels. There is no preferred metric or a not as good metric. There is only the first peer and the second peer. Negotiation begins with the first peer. As long as it works there is nothing done with the second peer. When the first peer fails then there is negotiation with the second peer. When traffic begins to use the tunnel to the second peer it will continue to use that tunnel as long as it is still valid. When the first peer comes back that is nice. But it does not automatically take over (as it would with a routing protocol). If you want traffic to come back to the first peer you must do something to cause the ASA to initiate new negotiation. You can either clear the SA or you can do something to make the second peer fail.

This is the expected behavior of IPSec tunnels. If you want the first peer to become active when it comes back in service then you need something like the EEM script that can detect the availability of the first peer and then clear the SA.  If something like VTI tunnels were available you could get the failover behavior that you want. This is because with VTI tunnels you get the tunnel traffic encrypted and the failover is done by a routing protocol running over the tunnel and not done by IPSec.

HTH

Rick

Thank You Rick

=====

When the crypto map specifies 2 peer addresses the ASA will negotiate the crypto with the first peer. If that negotiation is successful there is not any negotiation with the second peer at that time. If the first peer goes out of service (or has some issue that impacts the crypto sessions) then the ASA will open negotiations with the second peer. If the negotiations are successful then crypto sessions are established with the second peer and the tunnel comes up and passes traffic.

==========

You are Right when 182.74.233.26 goes down - 14.143.250.204 come up and tunnel start working. 

But when after some time 182.74.233.26 ( ISP) come up it does not start Tunnel and 14.143.250.204 goes down but tunnel does not work and sh isakmp sa show 14.143.250.204 as active. 

Thanks

amardeep

amardeep

Knowing that after the IPSec VPN fails over to 14.143.250.204 but later that peer stops working and the VPN does not bring up the first peer is surprising and is a significant change in the understanding of the problem. After reading again your earlier post with partial config I believe that I may have an explanation. Your ASA specifies 2 peers in the crypto map for this VPN. You provide a partial config for remote B, which is the first of the 2 peers. In that config I find this in its crypto map

crypto map outside_map 1 set peer 12.133.76.130 50.192.171.25

So this ASA also specifies 2 peers for its VPN tunnel.

I believe that this is what is happening:

1) Your ASA 12.133.76.130 establishes an IPSec VPN to 182.74.233.26. The VPN tunnel comes up and traffic is being forwarded.

2) Something happens and the VPN to 182.74.233.26 fails.

3) Your ASA negotiates with 14.143.250.204. The negotiation is successful and the VPN tunnel comes up and passes traffic.

4) While your VPN to 14.143.250.204 is working 182.74.233.26 comes back on line. It attempts to negotiate its VPN with you but that is not successful (you do not accept the negotiation because that VPN tunnel is already working for you). So that ASA begins negotiation with 50.192.171.25. That negotiation is successful and the VPN tunnel comes up and begins to forward traffic. 

5) Your VPN tunnel to 14.143.250.204 stops working. You attempt to begin negotiation with 182.74.233.26. The negotiation is not successful because 182.74.233.26 already has a working VPN tunnel for that traffic. 

HTH

Rick

Thank You Rick, 

I need to check all this in Practical scenario. I will test and will back.

Thanks

amardeep