Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- VPN between statically Addressed ASA and a dynamically addressed IOS Router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
779
Views
0
Helpful
6
Replies
VPN between statically Addressed ASA and a dynamically addressed IOS Router
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2019 10:20 PM
Hello guys
I need to configure VPN between statically Addressed ASA and a dynamically addressed IOS Router Catalyst 2800?
Can anyone help me in troubleshoot?
I use this manual https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/211273-Configuration-Example-of-Dynamic-IPsec-B.html
But there are no SA in 'show crypto isakmp sa' (
Labels:
- Labels:
-
Routing Protocols
6 Replies 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2019 03:48 AM
Hello,
post the full configs of both the ASA and the 2800 router...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2019 07:24 AM
The original post says that there is no isakmp sa and that might be true. But that is not necessarily a problem. The picture posted shows that there is an ipsec sa that was negotiated. And the ipsec sa can not be negotiated until the isakmp sa is negotiated. Once the ipsec sa is negotiated the isakmp sa may time out and I believe that is the case here.
That output shows that while the ipsec sa has been negotiated that there are no data packets going through the site to site vpn. This is the issue that we need to examine. I agree with Georg that seeing the configuration would help us understand what is going on here.
HTH
Rick
HTH
Rick
Rick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2019 10:20 PM
Thank you for your feedback, configuration of both sides published below
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2019 05:16 AM
Thank you for posting the configs. This may well turn out to be an issue with multiple parts. And we should address them one at a time. The first issue that I see is that the router interface for the lan is shut down. Do a no shut on the interface and let us know if the behavior changes.
HTH
Rick
HTH
Rick
Rick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2019 09:56 PM
FW-Primary# sh running-config
: Saved
:
: Serial Number: JAD1934034J
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
hostname FW-Primary
domain-name ****
enable password idPbayC encrypted
names
ip local pool VPN-pool-demo 10.10.10.10-10.10.10.20 mask 255.255.255.0
ip local pool RRC 172.18.1.200-172.18.1.250 mask 255.255.255.0
ip local pool Admin 172.18.15.10-172.18.15.30 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
description --- Link to SW2960 server farm ---
nameif link-to-2960
security-level 10
no ip address
!
interface GigabitEthernet1/4.10
description --- Demo subnet ---
vlan 10
nameif Demo
security-level 10
ip address 172.18.1.1 255.255.255.0
!
interface GigabitEthernet1/4.90
description --- Servers subnet ---
vlan 90
nameif Servers
security-level 10
ip address 172.18.9.1 255.255.255.0
!
interface GigabitEthernet1/5
description --- Link to SW3650 lan network ---
nameif link-to-3650
security-level 10
no ip address
!
interface GigabitEthernet1/5.9
description --- Management subnet ---
vlan 9
nameif mgmt
security-level 10
ip address 172.18.0.193 255.255.255.192
!
interface GigabitEthernet1/5.20
vlan 20
nameif Admin
security-level 10
ip address 172.18.2.1 255.255.255.0
!
interface GigabitEthernet1/5.30
description --- Voice subnet ---
vlan 30
nameif Voice
security-level 10
ip address 172.18.3.1 255.255.255.0
!
interface GigabitEthernet1/5.40
description --- PLF-4Floor---
vlan 40
nameif PLF
security-level 10
ip address 172.18.4.1 255.255.255.0
!
interface GigabitEthernet1/5.50
description --- Managers subnet ---
vlan 50
nameif Managers
security-level 10
ip address 172.18.5.1 255.255.255.0
!
interface GigabitEthernet1/5.60
vlan 60
nameif Guest
security-level 5
ip address 172.18.6.1 255.255.255.0
!
interface GigabitEthernet1/5.70
description --- Users subnet ---
vlan 70
nameif Users
security-level 10
ip address 172.18.7.1 255.255.255.0
!
interface GigabitEthernet1/5.80
description --- Cameras and DVR subnet ---
vlan 80
nameif Cameras
security-level 5
ip address 172.18.8.1 255.255.255.0
!
interface GigabitEthernet1/6
description --- To SWMod on Routers ---
nameif Edge-net
security-level 0
ip address 172.18.0.22 255.255.255.240
!
interface GigabitEthernet1/7
description LAN Failover Interface
!
interface GigabitEthernet1/8
description STATE Failover Interface
!
interface Management1/1
description --- Management subnet out of band ---
management-only
nameif mgmt-out-of-band
security-level 100
ip address 172.18.0.138 255.255.255.192
!
ftp mode passive
clock timezone UZT 5
dns server-group DefaultDNS
domain-name ****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network All-local-lan
subnet 172.18.0.0 255.255.240.0
description all-local-lan summarized
object network edge
host 172.18.0.17
object network obj-anyconnect
subnet 10.10.10.0 255.255.255.0
object network obj-inside
subnet 172.18.9.0 255.255.255.0
object network All-lan-Jomiy
subnet 172.17.0.0 255.255.0.0
object network DHCP-server
host 172.18.9.13
description DHCP-server
object network ADDS-rrc
host 172.18.1.20
description Domain controller for rrc labs
object network RRC-VPN-subnet
subnet 192.168.9.0 255.255.255.0
object network NTP-server
host 172.18.9.40
description NTP-server
object network 1c-Server
host 172.18.9.16
description 1c-Server
object network Fer_all_lan
subnet 172.19.0.0 255.255.240.0
description Fer_all_lan
object network BI-servers
subnet 172.18.9.48 255.255.255.248
description Bi-servers
object network AdminPC
host 172.18.7.106
object network AdminPC2
host 172.18.2.210
object service deb
service tcp destination eq 1987
description default
object network UTEX-lan
subnet 172.20.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network TRusted-Networks
network-object 172.18.0.192 255.255.255.192
network-object 172.18.2.0 255.255.255.128
network-object 172.18.3.0 255.255.255.0
network-object 172.18.5.0 255.255.255.128
network-object 172.18.7.0 255.255.255.0
network-object 172.18.9.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object AdminPC
network-object object AdminPC2
object-group service DM_INLINE_UDP_1 udp
port-object eq bootpc
port-object eq bootps
object-group service DM_INLINE_SERVICE_1
service-object icmp time-exceeded
service-object tcp destination eq rsh
object-group service Radius-authentication-ports tcp-udp
description Radius-authentication-ports
port-object eq 1812
port-object eq 1813
object-group service DM_INLINE_UDP_2 udp
group-object Radius-authentication-ports
port-object eq radius
port-object eq radius-acct
object-group service DM_INLINE_UDP_3 udp
port-object eq syslog
port-object eq tftp
access-list Train standard permit 172.18.9.0 255.255.255.0
access-list Local-lan-access-from-vpn extended permit ip object All-local-lan any
access-list Edge-net_cryptomap_1 extended permit ip object All-local-lan object Fer_all_lan
access-list Edge-net_cryptomap_1 extended permit ip object All-local-lan object UTEX-lan
access-list Edge-net_access_in extended permit object-group DM_INLINE_SERVICE_1 any object All-local-lan
access-list Edge-net_access_in extended permit icmp 172.18.0.16 255.255.255.240 172.18.9.0 255.255.255.0
access-list Edge-net_access_in extended permit object-group TCPUDP 172.18.0.16 255.255.255.240 object NTP-server object-group Radius-authentication-ports
access-list Edge-net_access_in extended permit udp 172.18.0.16 255.255.255.240 object NTP-server eq ntp
access-list Edge-net_access_in extended permit udp 172.18.0.16 255.255.255.240 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_UDP_3
access-list Edge-net_access_in extended permit object deb any object NTP-server
access-list PLF_access_in extended permit udp 172.18.4.0 255.255.255.0 object DHCP-server object-group DM_INLINE_UDP_1
access-list PLF_access_in extended deny ip 172.18.4.0 255.255.255.0 object All-local-lan
access-list PLF_access_in extended permit ip 172.18.4.0 255.255.255.0 any
access-list Demo_access_in extended deny ip 172.18.1.0 255.255.255.0 any
access-list RRC-VPN standard permit 172.18.1.0 255.255.255.0
access-list RRC-VPN standard permit host 10.10.10.0
access-list BI extended permit ip any object BI-servers
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list ACCOUNTANT_ACL extended permit ip any host 172.18.9.16
access-list ACCOUNTANT_ACL extended permit ip any host 172.19.9.10
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm warnings
logging host Users 172.18.7.101
logging host Admin 172.18.2.19
mtu outside 1500
mtu inside 1500
mtu link-to-2960 1500
mtu Demo 1500
mtu Servers 1500
mtu link-to-3650 1500
mtu mgmt 1500
mtu Admin 1500
mtu Voice 1500
mtu PLF 1500
mtu Managers 1500
mtu Guest 1500
mtu Users 1500
mtu Cameras 1500
mtu Edge-net 1500
mtu mgmt-out-of-band 1500
failover
failover lan unit primary
failover lan interface FOlink GigabitEthernet1/7
failover key *****
failover link Statelink GigabitEthernet1/8
failover interface ip FOlink 172.18.0.1 255.255.255.252 standby 172.18.0.2
failover interface ip Statelink 172.18.0.5 255.255.255.252 standby 172.18.0.6
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Edge-net) source static All-local-lan All-local-lan destination static UTEX-lan UTEX-lan
!
object network All-local-lan
nat (inside,outside) dynamic interface
access-group PLF_access_in in interface PLF
access-group Edge-net_access_in in interface Edge-net
route Edge-net 0.0.0.0 0.0.0.0 172.18.0.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server RADIUS protocol radius
aaa-server RADIUS (Servers) host 172.18.9.40
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authorization exec authentication-server
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.18.0.128 255.255.255.192 mgmt-out-of-band
http 172.18.0.192 255.255.255.192 mgmt
http 172.18.7.0 255.255.255.0 Users
http 172.18.2.0 255.255.255.0 Admin
http 10.10.10.0 255.255.255.0 Servers
http 172.18.0.22 255.255.255.255 Edge-net
http 172.18.15.0 255.255.255.0 Admin
snmp-server host Servers 172.18.9.17 community *****
no snmp-server location
snmp-server contact public
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change cpu-temperature chassis-temperature accelerator-temperature
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
snmp-server enable traps config
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map cisco 1 set ikev1 transform-set myset
crypto map Edge-net_map 1 match address Edge-net_cryptomap_1
crypto map Edge-net_map 1 set peer 213.11.11.11
crypto map Edge-net_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Edge-net_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Edge-net_map 10 ipsec-isakmp dynamic cisco
crypto map Edge-net_map interface Edge-net
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Edge-net
crypto ikev1 enable Edge-net
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
no ssh stricthostkeycheck
ssh pubkey-chain
server 10.10.10.0
ssh 172.18.2.0 255.255.255.0 Admin
ssh 172.18.7.0 255.255.255.0 Users
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Admin
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
!
dhcprelay server 172.18.9.13 Servers
dhcprelay enable Demo
dhcprelay enable mgmt
dhcprelay enable Admin
dhcprelay enable Voice
dhcprelay enable PLF
dhcprelay enable Managers
dhcprelay enable Users
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 172.18.9.40
webvpn
enable Servers
enable Users
enable Edge-net
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy GroupPolicy_TRAIN internal
group-policy GroupPolicy_TRAIN attributes
wins-server none
dns-server value 172.18.9.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value ****
group-policy GroupPolicy_BI internal
group-policy GroupPolicy_BI attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-network-list value BI
default-domain value ****
split-dns none
group-policy GroupPolicy_213.11.11.11 internal
group-policy GroupPolicy_213.11.11.11 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_84.11.11.11 internal
group-policy GroupPolicy_84.11.11.11 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TRAIN type remote-access
tunnel-group TRAIN general-attributes
address-pool Admin
default-group-policy GroupPolicy_TRAIN
tunnel-group TRAIN webvpn-attributes
group-alias TRAIN enable
tunnel-group 84.11.11.11 type ipsec-l2l
tunnel-group 84.11.11.11 general-attributes
default-group-policy GroupPolicy_84.11.11.11
tunnel-group 84.11.11.11 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 213.11.11.11 type ipsec-l2l
tunnel-group 213.11.11.11 general-attributes
default-group-policy GroupPolicy_213.11.11.11
tunnel-group 213.11.11.11 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group BI type remote-access
tunnel-group BI general-attributes
address-pool VPN-pool-demo
default-group-policy GroupPolicy_BI
tunnel-group BI webvpn-attributes
group-alias BI enable
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class global-class
inspect icmp
inspect ftp
inspect mgcp
inspect rtsp
inspect sip
inspect skinny
inspect dns preset_dns_map
inspect esmtp
inspect netbios
inspect rsh
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp error
class class-default
user-statistics accounting
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:
: end
FW-Primary#
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2019 10:07 PM
Dynamic side
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ex
Router#sh ru
Router#sh run
Router#sh running-config
Building configuration...
Current configuration : 1635 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco123 address 81.11.11.11
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 81.11.11.11 //(static ip of ASA )
set transform-set myset
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.137.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 172.20.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.137.1
ip http server
no ip http secure-server
!
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 101 permit ip 172.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 110 deny ip 172.20.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 110 permit ip 172.20.0.0 0.0.255.255 any
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
Router#
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
