01-20-2020 07:18 AM
Hi All
Running into a small problem.
I have a C1941 with a EHWIC VDSL card that connects to my ISP, (FTTC) I can get this to connect to the ISP and get my single static IP address. I have now since got a ASA 5520 which i want to put inbetween the router and my network. the ASA also needs to act as a site to site VPN to outer locations.
The ASA is currently configured as follows
Internal -> 10.10.0.254 I/F GI01
External -> 10.10.1.2 I/F Gi 0/0
Router -> 10.10.1.1 I/F Gi 0/0
EHWIC ( Dialer1) x.x.x.x
I have a default route set on the ASA of 0.0.0.0 0.0.0.0 10.10.1.1 1, I know this works as i can get get to the router via telnet and HTTPS
But when trying to ping anything 10.10.0.x nothing.
Any help welcome also able to post current running configs should this be needed
Cheers
01-20-2020 08:18 AM
The,
the default route of the ASA needs to specify an interface, do you have the configured ?
If the interface on the ASA that connects to the router is named e.g. external, the default route needs to be:
route external 0.0.0.0 0.0.0.0 10.10.1.1
--> But when trying to ping anything 10.10.0.x nothing.
Pinging from where ? The router (obviously) needs a route back to the ASA. If you can, post the configs of both devices, you are probably missing something small...
01-20-2020 08:31 AM
Hi Georg,
Here is the running config on the ASA
: Saved
:
: Serial Number: JMXXXXXXXXX
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname kent-firewall
domain-name xxxx.xxxxxxxxxx.uk.com
enable password XXXXXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
description Connect to Cisco 1941 Router
nameif External
security-level 0
ip address 10.10.1.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.0.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Internal Network
nameif Management
security-level 100
ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
dns domain-lookup External
dns domain-lookup Management
dns server-group DefaultDNS
name-server 10.10.0.10
name-server 10.10.0.20
name-server 10.10.0.40
dns server-group EXT-DNS
name-server 8.8.8.8
name-server 1.1.1.1
name-server 8.8.4.4
name-server 1.0.0.1
same-security-traffic permit intra-interface
object network External-address
host xx.xx.xx.xx
description External IP address
object network Phy-DC01
host 10.10.0.40
description Kent-Dc01
object network Fordwich
subnet 10.0.0.0 255.255.255.0
description Fordwich Network
object network NETWORK_OBJ_10.10.0.0_24
subnet 10.10.0.0 255.255.255.0
object network Exchange-Server
host 10.10.0.11
description Email Server
object network Virt-DC02
host 10.10.0.10
description Kent DC02
object network Virt-DC03
host 10.10.0.20
description Kent-DC03
object network WebServer
host 10.10.0.12
description Kent WebServer01
object service SMTP-SSL
service tcp source eq 465 destination eq 465
description SMTP SSL
object-group service DM_INLINE_SERVICE_1
service-object object SMTP-SSL
service-object tcp destination eq smtp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list External_access_in_1 extended permit icmp any 10.10.0.0 255.255.255.0 log disable
access-list External_access_in_1 extended permit tcp any object-group DM_INLINE_TCP_2 object WebServer object-group DM_INLINE_TCP_1 log disable
access-list External_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object Exchange-Server log disable
access-list External_cryptomap_1 extended permit ip 10.10.0.0 255.255.255.0 object Fordwich
pager lines 24
logging enable
logging asdm informational
logging from-address Firewall@y.com
logging recipient-address x@y.com level errors
mtu External 1500
mtu Management 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,External) source dynamic any interface
nat (Inside,External) source static NETWORK_OBJ_10.10.0.0_24 NETWORK_OBJ_10.10.0.0_24 destination static Fordwich Fordwich no-proxy-arp route-lookup
access-group External_access_in_1 in interface External
route External 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 Inside
http 10.10.0.0 255.255.255.0 Inside
snmp-server host Inside 10.10.0.16 community *****
snmp-server location
snmp-server contact
snmp-server community *****
sysopt noproxyarp Management
crypto ipsec ikev1 transform-set Fordwich esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map External_map1 1 match address External_cryptomap_1
crypto map External_map1 1 set peer 82.69.1.210
crypto map External_map1 1 set ikev1 transform-set Fordwich
crypto map External_map1 interface External
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable External
crypto ikev1 enable Inside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.255.0 Inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.0.0 255.255.255.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay setroute Management
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.0.40 source Management prefer
ntp server 10.10.0.10 source Management prefer
webvpn
anyconnect-essentials
cache
disable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password XXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group 82.69.1.210 type ipsec-l2l
tunnel-group 82.69.1.210 general-attributes
default-group-policy GroupPolicy1
tunnel-group 82.69.1.210 ipsec-attributes
ikev1 pre-shared-key *****
!
!
smtp-server 10.10.0.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:21ccd140e7c429f83471045b270aebe8
: end
Here is the Config from the C1941
Current configuration : 4007 bytes
!
! Last configuration change at 20:54:44 GMT Sun Jan 19 2020 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DD-C1941
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name xxxx.xxxxxxxx.uk.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1921930C
!
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username admin privilege 15 password 0 xxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
!
!
class-map type inspect match-all INTERNAL_DOMAIN_FILTER
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.10.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
cdp enable
!
interface Ethernet0/0/0
no ip address
!
interface Ethernet0/0/0.1
description PrimaryWANDesc_Zen Internet
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
description PrimaryWANDesc_Zen Internet_Ethernet0/0/0.1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx@zen
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxxxx@zen password 0 xxxxxxxx
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.0.0 255.255.255.0 10.10.1.2
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 2.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org source Dialer1
!
end
Many Thanks
Ian
01-20-2020 12:40 PM
Hello,
try and disable the access list altogether and use the global policy to inspect ICMP instead:
no access-group External_access_in_1 in interface External
policy-map global_policy
class inspection_default
inspect icmp
01-21-2020 03:06 PM
I agree with the suggestion about enabling inspect for ICMP. But as I look at the posted configuration I see 3 entries in the access list controlling traffic from outside and all 3 are disabled. So effectively there is nothing to permit the ping traffic.
HTH
Rick
01-20-2020 08:29 AM
Hello
@Ian Houghton wrote:
Hi All
Running into a small problem.
I have a C1941 with a EHWIC VDSL card that connects to my ISP, (FTTC) I can get this to connect to the ISP and get my single static IP address. I have now since got a ASA 5520 which i want to put inbetween the router and my network. the ASA also needs to act as a site to site VPN to outer locations.
The ASA is currently configured as follows
Internal -> 10.10.0.254 I/F GI01
External -> 10.10.1.2 I/F Gi 0/0
Router -> 10.10.1.1 I/F Gi 0/0
EHWIC ( Dialer1) x.x.x.x
But when trying to ping anything 10.10.0.x nothing.
Where are you attempting to ping from?
By default security levels on the FW interfaces will prohibit communication by default any host behind an interface with a lower security level to a interface with higher security level, Also there isnt any access rule allowing icmp echo-reply either to.from the same interfaces
01-20-2020 08:57 AM
HI Paul
I have a access list rule allowing any - inside network/24 ICMP permit
Is that what you are on about?
Does this also need to have ICMP Echo reply added as a test?
Thanks
01-20-2020 11:30 AM - edited 01-20-2020 12:43 PM
Hello
@Ian Houghton wrote:
HI Paul
I have a access list rule allowing any - inside network/24 ICMP permit
Is that what you are on about?
Does this also need to have ICMP Echo reply added as a test?
access-list External_access_in_1 extended permit icmp any 10.10.0.0 255.255.255.0 log disable
access-group External_access_in_1 in interface External
route External 0.0.0.0 0.0.0.0 10.10.1.1 1
Yes - However although the acl is covering 10.0.0/8 subnet it isnt specifying what type of icmp you would like to allow so would you try make it more specific and test again
example:
no access-list External_access_in_1 extended permit icmp any 10.10.0.0 255.255.255.0 log disable
object network LAN1
subnet 10.10.0.0 255.255.255.0
object network LAN2
subnet 10.10.10.0 255.255.255.0
object-group LANS
network-object object LAN1
network-object object LAN2
access-list External_access_in_1 extended permit icmp any object-group LANS echo log disable
access-list External_access_in_1 extended permit icmp any object-group LANS echo-reply log disable
01-20-2020 11:40 AM
Hi Paul.
I have 10.10.0.0/24 ( Internal ) 10.0.0.0/24 ( Down a VPN Tunnel )
and 10.10.1.0/30 ( External ) connecting to Router
Im just trying to ping from the cli of the router to an ip on the inside interface of the firewall
If this is NOT the best way to check for traffic flow then please advice
Thanks
Ian
01-20-2020 12:45 PM - edited 01-20-2020 12:47 PM
Hello
@Ian Houghton wrote:
Hi Paul.
I have 10.10.0.0/24 ( Internal ) 10.0.0.0/24 ( Down a VPN Tunnel )
and 10.10.1.0/30 ( External ) connecting to Router
Im just trying to ping from the cli of the router to an ip on the inside interface of the firewall
If this is NOT the best way to check for traffic flow then please advice
Understand , Can you confirm if you are sourcing that ping from an interface on the rtr allowed in the access-list on the FW?
01-30-2020 03:02 PM
Hi all,
Thanks for all the replies, i have had a chance to try them all and am sorry to report that im unable to get any traffic to flow from the net inbound. ( I am guessing that outbound traffic is going!)
What i have been able to work out is, If i take the ASA out of the question, change the IP range on the 1941 to that of my internal network, I can get traffic to flow!
So the current connections are
ASA Eth0/0 10.10.1.2/30
ASA Eth 0/1 10.10.0.253/24
1941 GI0/0 10.10.1.1/30
Im thinking that the issue is either NAT based or route based, either from the router or the ASA, any help welcome
02-01-2020 08:05 AM
It would be helpful if you would post a fresh copy of the ASA config. We would like to verify how you have addressed the suggestions about including inspection for ICMP and about the access list statements that are disabled.
In addition as I look through the posted config again I notice the order of the nat statements.
nat (Inside,External) source dynamic any interface
nat (Inside,External) source static NETWORK_OBJ_10.10.0.0_24 NETWORK_OBJ_10.10.0.0_24 destination static Fordwich Fordwich no-proxy-arp route-lookup
The second nat to exempt the vpn traffic is good. But it should come before the nat that translates everything.
HTH
Rick
02-01-2020 02:17 PM
HI Rick
Below is the current running config on my ASA5520
Thanks
: Serial Number: JMX1550XXXX
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)32
!
hostname kent-firewall
domain-name XXXX.XXXXXXXX.XX.XXX
enable password XXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
description Connect to Cisco 1941 Router
nameif Outside
security-level 0
ip address 10.10.1.2 255.255.255.252
rip send version 1 2
rip receive version 1 2
!
interface GigabitEthernet0/1
description Internal Network
nameif Inside
security-level 100
ip address 10.10.0.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 10.10.0.10
name-server 10.10.0.20
name-server 10.10.0.40
domain-name XXXX.XXXXXXXX.XX.XXX
same-security-traffic permit intra-interface
object network External-address
host XX.XX.XX.XX
description External IP address
object network Phy-DC01
host 10.10.0.40
description Kent-Dc01
object network Fordwich
subnet 10.0.0.0 255.255.255.0
description Fordwich Close Network
object network NETWORK_OBJ_10.10.0.0_24
subnet 10.10.0.0 255.255.255.0
object network Exchange-Server
host 10.10.0.11
description Email Server
object network Virt-DC02
host 10.10.0.10
description Kent DC02
object network Virt-DC03
host 10.10.0.20
description Kent-DC03
object network WebServer
host 10.10.0.12
description Kent WebServer01
object service SMTP-SSL
service tcp source eq 465 destination eq 465
description SMTP SSL
object-group service DM_INLINE_SERVICE_1
service-object object SMTP-SSL
service-object tcp destination eq smtp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object tcp-udp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_6
service-object object SMTP-SSL
service-object tcp destination eq smtp
object-group service WWW
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
object-group network DNSServers
description Internal DNS Servers
network-object object Phy-DC01
network-object object Virt-DC02
network-object object Virt-DC03
object-group service DM_INLINE_SERVICE_7
service-object tcp-udp destination eq domain
service-object tcp destination eq domain
service-object udp destination eq domain
access-list External_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 interface Outside interface Inside log disable
access-list External_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any 10.10.0.0 255.255.255.0 log disable
access-list External_access_in_1 extended permit tcp any object-group DM_INLINE_TCP_2 object WebServer object-group DM_INLINE_TCP_1 log disable
access-list External_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object Exchange-Server log disable
access-list Outside_cryptomap extended permit ip 10.10.0.0 255.255.255.0 object Fordwich
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any 10.10.0.0 255.255.255.0 inactive
access-list Outside_access_in remark Inbound Email to Exchange
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Exchange-Server inactive
access-list Outside_access_in remark Inbound webmail access
access-list Outside_access_in extended permit object-group WWW any object WebServer
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object-group DNSServers
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any any
pager lines 24
logging enable
logging asdm informational
logging from-address Firewall@XXXXXXXX.XX
logging recipient-address ian@XXXXXXXX.XX level errors
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
nat (Inside,Outside) source static NETWORK_OBJ_10.10.0.0_24 NETWORK_OBJ_10.10.0.0_24 destination static Fordwich Fordwich no-proxy-arp route-lookup
!
nat (any,Inside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.10.0.0 255.255.255.0 Inside
http 10.0.0.0 255.255.255.0 Inside
snmp-server host Inside 10.10.0.16 community *****
snmp-server location
snmp-server contact
snmp-server community XXXXXXXXXXXXX
crypto ipsec ikev1 transform-set Fordwich esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 82.69.1.210
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 enable Inside
crypto ikev1 enable Outside
crypto ikev1 enable Inside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.255.0 Inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.10.0.0 255.255.255.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.0.40 prefer
ntp server 10.10.0.10 prefer
webvpn
anyconnect-essentials
cache
disable
group-policy GroupPolicy_XX.XX.XX.XX internal
group-policy GroupPolicy_XX.XX.XX.XX attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX general-attributes
default-group-policy GroupPolicy_XX.XX.XX.XX
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key XXXXXXXXXXXX
ikev2 remote-authentication pre-shared-key XXXXXXXXXXXX
ikev2 local-authentication pre-shared-key XXXXXXXXXXXX
!
class-map global-class
match any
!
!
policy-map global_policy
policy-map global-policy
description ICMP
class global-class
inspect icmp
!
service-policy global-policy global
smtp-server 10.10.0.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0736aad813637b6b9170f0f9638b30b
: end
02-02-2020 05:54 AM
Thanks for posting the fresh copy of the config. In reading through the discussion again I realize that I had missed a significant clue about the problem which is this "Im just trying to ping from the cli of the router to an ip on the inside interface of the firewall". It is a security policy of the ASA that it does not allow ping to the inside interface address from a device coming through the outside interface. See this discussion of the issue for further details
https://community.cisco.com/t5/firewalls/not-able-to-ping-inside-interface-from-outside/td-p/2866589
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide