Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4970
Views
0
Helpful
0
Replies

Troubleshooting remote access VPN with IPSec Client "ERROR: IKE failed trying to create a session manager entry"

Michael Murray
Level 2
Level 2

‎10-22-2015 02:08 PM - edited ‎02-21-2020 08:31 PM

ASA 8.2(2)

IPSec Client 5.0.07.0440

 

Sometimes users connect fine. Other times they get the error on the client "Terminated by peer". I get the following error on the ASA at these times:

 

"ERROR: IKE failed trying to create a session manager entry"

 

Debug output of entire session is as follows:

 

Oct 22 2015 16:55:57: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 847
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing SA payload
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing ke payload
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing ISA_KE payload
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing nonce payload
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing ID payload
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: IP = 2.2.2.156, Received xauth V6 VID
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: IP = 2.2.2.156, Received DPD VID
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: IP = 2.2.2.156, Received Fragmentation VID
Oct 22 2015 16:55:57: %ASA-7-715064: IP = 2.2.2.156, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: IP = 2.2.2.156, Received NAT-Traversal ver 02 VID
Oct 22 2015 16:55:57: %ASA-7-715047: IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: IP = 2.2.2.156, Received Cisco Unity client VID
Oct 22 2015 16:55:57: %ASA-7-713906: IP = 2.2.2.156, Connection landed on tunnel_group ASA
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing IKE SA payload
Oct 22 2015 16:55:57: %ASA-7-715028: Group = ASA, IP = 2.2.2.156, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing ISAKMP SA payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing ke payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing nonce payload
Oct 22 2015 16:55:57: %ASA-7-713906: Group = ASA, IP = 2.2.2.156, Generating keys for Responder...
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing ID payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing hash payload
Oct 22 2015 16:55:57: %ASA-7-715076: Group = ASA, IP = 2.2.2.156, Computing hash for ISAKMP
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing Cisco Unity VID payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing xauth V6 VID payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing dpd vid payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing NAT-Traversal VID ver 02 payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing NAT-Discovery payload
Oct 22 2015 16:55:57: %ASA-7-713906: Group = ASA, IP = 2.2.2.156, computing NAT Discovery hash
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing NAT-Discovery payload
Oct 22 2015 16:55:57: %ASA-7-713906: Group = ASA, IP = 2.2.2.156, computing NAT Discovery hash
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing Fragmentation VID + extended capabilities payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing VID payload
Oct 22 2015 16:55:57: %ASA-7-715048: Group = ASA, IP = 2.2.2.156, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 22 2015 16:55:57: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Oct 22 2015 16:55:57: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing hash payload
Oct 22 2015 16:55:57: %ASA-7-715076: Group = ASA, IP = 2.2.2.156, Computing hash for ISAKMP
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing notify payload
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing NAT-Discovery payload
Oct 22 2015 16:55:57: %ASA-7-713906: Group = ASA, IP = 2.2.2.156, computing NAT Discovery hash
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing NAT-Discovery payload
Oct 22 2015 16:55:57: %ASA-7-713906: Group = ASA, IP = 2.2.2.156, computing NAT Discovery hash
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715038: Group = ASA, IP = 2.2.2.156, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Oct 22 2015 16:55:57: %ASA-7-715047: Group = ASA, IP = 2.2.2.156, processing VID payload
Oct 22 2015 16:55:57: %ASA-7-715049: Group = ASA, IP = 2.2.2.156, Received Cisco Unity client VID
Oct 22 2015 16:55:57: %ASA-6-713172: Group = ASA, IP = 2.2.2.156, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing blank hash payload
Oct 22 2015 16:55:57: %ASA-7-715046: Group = ASA, IP = 2.2.2.156, constructing qm hash payload
Oct 22 2015 16:55:57: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE SENDING Message (msgid=ee2af8e8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE RECEIVED Message (msgid=ee2af8e8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, IP = 2.2.2.156, process_attr(): Enter!
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, IP = 2.2.2.156, Processing MODE_CFG Reply attributes.
Oct 22 2015 16:56:00: %ASA-6-113004: AAA user authentication Successful : server =  192.168.100.21 : user = master
Oct 22 2015 16:56:00: %ASA-6-113009: AAA retrieved default group policy (ASA) for user = master
Oct 22 2015 16:56:00: %ASA-6-113008: AAA transaction status ACCEPT : user = master
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: primary DNS = 192.168.100.21
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: secondary DNS = 192.168.100.10
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: primary WINS = cleared
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: secondary WINS = cleared
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: split tunneling list = ASA_splitTunnelAcl
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: default domain = cisco.local
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: IP Compression = disabled
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Oct 22 2015 16:56:00: %ASA-7-715019: Group = ASA, Username = master, IP = 2.2.2.156, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Oct 22 2015 16:56:00: %ASA-7-734003: DAP: User master, Addr 2.2.2.156: Session Attribute aaa.cisco.grouppolicy = ASA
Oct 22 2015 16:56:00: %ASA-7-734003: DAP: User master, Addr 2.2.2.156: Session Attribute aaa.cisco.username = master
Oct 22 2015 16:56:00: %ASA-7-734003: DAP: User master, Addr 2.2.2.156: Session Attribute aaa.cisco.tunnelgroup = ASA
Oct 22 2015 16:56:00: %ASA-6-734001: DAP: User master, Addr 2.2.2.156, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
 Oct 22 2015 16:56:00: %ASA-7-713052: Group = ASA, Username = master, IP = 2.2.2.156, User (master) authenticated.
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing blank hash payload
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing qm hash payload
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE SENDING Message (msgid=b8bd4395) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE RECEIVED Message (msgid=b8bd4395) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, Username = master, IP = 2.2.2.156, process_attr(): Enter!
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, Username = master, IP = 2.2.2.156, Processing cfg ACK attributes
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE RECEIVED Message (msgid=6e118b8f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 180
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, Username = master, IP = 2.2.2.156, process_attr(): Enter!
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, Username = master, IP = 2.2.2.156, Processing cfg Request attributes
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for IPV4 address!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for IPV4 net mask!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for DNS server address!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for WINS server address!
Oct 22 2015 16:56:00: %ASA-5-713130: Group = ASA, Username = master, IP = 2.2.2.156, Received unsupported transaction mode attribute: 5
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Banner!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Save PW setting!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Default Domain Name!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Split Tunnel List!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Split DNS!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for PFS setting!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Client Browser Proxy Setting!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for backup ip-sec peer list!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for Application Version!
Oct 22 2015 16:56:00: %ASA-6-713184: Group = ASA, Username = master, IP = 2.2.2.156, Client Type: WinNT  Client Application Version: 5.0.07.0440
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for FWTYPE!
Oct 22 2015 16:56:00: %ASA-7-715053: Group = ASA, Username = master, IP = 2.2.2.156, MODE_CFG: Received request for DHCP hostname for DDNS is: netmanwin7!
Oct 22 2015 16:56:00: %ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
Oct 22 2015 16:56:00: %ASA-6-737026: IPAA: Client assigned 172.16.100.101 from local pool
Oct 22 2015 16:56:00: %ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'ASA'
Oct 22 2015 16:56:00: %ASA-7-713906: Group = ASA, Username = master, IP = 2.2.2.156, Obtained IP addr (172.16.100.101) prior to initiating Mode Cfg (XAuth enabled)
Oct 22 2015 16:56:00: %ASA-7-713906: Group = ASA, Username = master, IP = 2.2.2.156, Sending subnet mask (255.255.255.0) to remote client
Oct 22 2015 16:56:00: %ASA-6-713228: Group = ASA, Username = master, IP = 2.2.2.156, Assigned private IP address 172.16.100.101 to remote user
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing blank hash payload
Oct 22 2015 16:56:00: %ASA-7-715020: Group = ASA, Username = master, IP = 2.2.2.156, construct_cfg_set: default domain = cisco.local
Oct 22 2015 16:56:00: %ASA-7-715055: Group = ASA, Username = master, IP = 2.2.2.156, Send Client Browser Proxy Attributes!
Oct 22 2015 16:56:00: %ASA-7-715001: Group = ASA, Username = master, IP = 2.2.2.156, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Oct 22 2015 16:56:00: %ASA-7-715055: Group = ASA, Username = master, IP = 2.2.2.156, Send Cisco Smartcard Removal Disconnect enable!!
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing qm hash payload
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE SENDING Message (msgid=6e118b8f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 240
Oct 22 2015 16:56:00: %ASA-7-714003: IP = 2.2.2.156, IKE Responder starting QM: msg id = 09daffaf
Oct 22 2015 16:56:00: %ASA-7-715021: Group = ASA, Username = master, IP = 2.2.2.156, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Oct 22 2015 16:56:00: %ASA-3-211001: Memory allocation Error
Oct 22 2015 16:56:00: %ASA-4-713903: Group = ASA, Username = master, IP = 2.2.2.156, ERROR: IKE failed trying to create a session manager entry
Oct 22 2015 16:56:00: %ASA-7-715065: Group = ASA, Username = master, IP = 2.2.2.156, IKE AM Responder FSM error history (struct &0xdb58eee8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_PEND_QM, EV_ADD_SESS-->AM_TM_PEND_QM, EV_INIT_FIREWALL-->AM_TM_PEND_QM, EV_TM_OK-->AM_TM_PEND_QM, NullEvent-->AM_TM_INIT_MODECFG_V6H, EV_SND_MSG_TO_TM-->AM_TM_INIT_MODECFG_V6H, EV_RCV_NEW_QM_MSG-->AM_TM_INIT_MODECFG_V6H, NullEvent
Oct 22 2015 16:56:00: %ASA-7-713906: Group = ASA, Username = master, IP = 2.2.2.156, IKE SA AM:f8f201fb terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
Oct 22 2015 16:56:00: %ASA-7-713906: Group = ASA, Username = master, IP = 2.2.2.156, sending delete/delete with reason message
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing blank hash payload
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing IKE delete payload
Oct 22 2015 16:56:00: %ASA-7-715046: Group = ASA, Username = master, IP = 2.2.2.156, constructing qm hash payload
Oct 22 2015 16:56:00: %ASA-7-713236: IP = 2.2.2.156, IKE_DECODE SENDING Message (msgid=b454505c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Oct 22 2015 16:56:00: %ASA-6-737016: IPAA: Freeing local pool address 172.16.100.101
Oct 22 2015 16:56:00: %ASA-5-713904: IP = 2.2.2.156, Received encrypted packet with no matching SA, dropping

 

 

 

ASA config:

ASA-FW# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA-FW
names
dns-guard
!
interface Ethernet0/0
 shutdown
 nameif Old-Outside
 security-level 10
 no ip address
!
interface Ethernet0/1
 nameif Data
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
 nameif Voice
 security-level 50
 ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/3
 nameif comcast
 security-level 0
 ip address 1.1.1.81 255.255.255.248
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.236.150 255.255.255.0
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name cisco.local
same-security-traffic permit inter-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group service MailServerAccess
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq smtp
object-group service VoiceAccessPorts
 service-object tcp eq 5222
 service-object tcp eq sip
 service-object udp range 10000 20000
 service-object udp eq sip
 service-object tcp eq 8000
 service-object tcp eq 9000
 service-object tcp eq domain
object-group network SIPAttacks
 network-object host 178.63.244.22
 network-object host 199.180.116.135
 network-object host sipAttack1
 network-object host sipAttack4
 network-object host sipAttack5
 network-object host sipAttack6
 network-object host SIPAttack2015-5
 network-object host SIPAttack2015-1
 network-object host SIPAttack2015-3
 network-object host SIPAttack2015-4
 network-object host SIPAttack2015-2
 network-object host SIPAttack2015-6
 network-object host SIPAttack2015-7
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_2
 network-object MXLogicServers1 255.255.248.0
 network-object MXLogicServers2 255.255.248.0
object-group network DM_INLINE_NETWORK_3
 network-object host 1.1.1.81
 network-object host 1.1.1.84
 network-object host 1.1.1.85
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq sip
 service-object udp eq sip
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group network DM_INLINE_NETWORK_4
 network-object host 1.1.1.81
 network-object host 1.1.1.84
object-group network DM_INLINE_NETWORK_5
 network-object host 1.1.1.81
 network-object host 1.1.1.84
object-group network DM_INLINE_NETWORK_1
 network-object host PrivateMailserver
 network-object host 192.168.100.22
object-group service udp10000 udp
 port-object eq 10000
object-group service udp4500 udp
 port-object eq 4500
object-group service ESP50 udp
 port-object eq 50
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
object-group service DM_INLINE_SERVICE_2
 service-object tcp gt 1
 service-object udp gt 1
object-group service DM_INLINE_SERVICE_3
 service-object tcp gt 1
 service-object udp gt 1
object-group service DM_INLINE_SERVICE_4
 service-object tcp gt 1
 service-object udp gt 1
object-group service DM_INLINE_SERVICE_5
 service-object tcp gt 1
 service-object udp gt 1
object-group network FonalityServerPublic
 network-object host PhonesOutside
object-group service VoiceAccessPorts_in
 service-object tcp eq 5222
 service-object tcp eq sip
 service-object udp range 10000 20000
 service-object udp eq sip
object-group service VoiceAccessPorts_out
 service-object tcp eq ftp
 service-object tcp eq domain
 service-object udp eq domain
 service-object tcp eq www
 service-object udp eq ntp
 service-object tcp eq https
 service-object tcp eq 8000
 service-object tcp eq 9000
 service-object icmp
access-list Data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list Data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 172.16.100.96 255.255.255.224
access-list Data_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.120.20.0 255.255.255.0
access-list Voice_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Voice_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Voice_access_in extended deny ip object-group SIPAttacks any
access-list Voice_access_in extended permit object-group VoiceAccessPorts_out host FonalityServerInside any
access-list Voice_access_in extended permit object-group VoiceAccessPorts_out host 192.168.200.11 any
access-list ASA_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list ASA_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list Voice_nat0_outbound_1 extended permit ip 192.168.200.0 255.255.255.0 172.16.100.96 255.255.255.224
access-list Data_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp
access-list Data_access_in extended deny tcp any any eq smtp
access-list Data_access_in extended deny udp any any eq sip
access-list Data_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list Data_access_in extended deny ip any any
access-list Data_access_in extended permit object-group DM_INLINE_SERVICE_4 any host 173.188.250.18
access-list Data_access_in extended permit esp any host 173.188.250.18
access-list Data_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 192.168.0.253 inactive
access-list ACL extended deny tcp any any eq sip
access-list comcast_access_in extended deny ip object-group SIPAttacks any
access-list comcast_access_in extended permit object-group MailServerAccess object-group DM_INLINE_NETWORK_2 host OutsideMail
access-list comcast_access_in extended permit tcp any host OutsideMail object-group DM_INLINE_TCP_4
access-list comcast_access_in extended permit tcp any host PhonesOutside eq telnet inactive
access-list comcast_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 eq 4899
access-list comcast_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq www
access-list comcast_access_in extended permit object-group VoiceAccessPorts_in host 208.71.145.198 host PhonesOutside
access-list comcast_access_in extended deny object-group DM_INLINE_SERVICE_1 any any
access-list comcast_access_in remark SSRS
access-list comcast_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq 8080
access-list comcast_access_in extended permit tcp any host 1.1.1.81 eq 3389
access-list comcast_access_in extended permit object-group DM_INLINE_SERVICE_5 host 173.188.250.18 any
access-list comcast_access_in extended permit esp host 173.188.250.18 any
access-list comcast_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list comcast_access_in extended permit object-group DM_INLINE_SERVICE_3 host 192.168.0.253 any inactive
access-list capcom extended deny ip host 70.91.136.118 any
access-list capcom extended deny ip any host 70.91.136.118
access-list capcom extended permit tcp any host PhonesOutside eq 9000
access-list capcom extended permit tcp any host PhonesOutside eq 8000
access-list capcom extended permit ip host PhonesOutside any
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 50000
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 106006
no logging message 106001
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 710007
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
mtu Old-Outside 1500
mtu Data 1500
mtu Voice 1500
mtu comcast 1500
mtu management 1500
ip local pool VPNClinet 172.16.100.100-172.16.100.120 mask 255.255.255.0
ip local pool webvpnpool 10.120.20.10-10.120.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (comcast) 1 interface
nat (Data) 0 access-list Data_nat0_outbound
nat (Data) 1 0.0.0.0 0.0.0.0
nat (Voice) 0 access-list Voice_nat0_outbound_1
nat (Voice) 0 access-list Voice_nat0_outbound outside
nat (Voice) 1 192.168.200.11 255.255.255.255
nat (Voice) 1 0.0.0.0 0.0.0.0 dns
static (Data,comcast) tcp 1.1.1.84 4899 192.168.100.15 4899 netmask 255.255.255.255
static (Data,comcast) tcp interface www 192.168.100.18 www netmask 255.255.255.255
static (Data,comcast) tcp interface 8080 192.168.100.18 8080 netmask 255.255.255.255
static (Data,comcast) tcp interface 4899 192.168.100.18 4899 netmask 255.255.255.255
static (Data,comcast) tcp 1.1.1.84 www 192.168.100.17 www netmask 255.255.255.255
static (Data,comcast) tcp 1.1.1.84 8080 192.168.100.17 8080 netmask 255.255.255.255
static (Data,comcast) tcp 1.1.1.85 4899 192.168.100.112 4899 netmask 255.255.255.255
static (Data,comcast) tcp interface 3389 PrivateMailserver 3389 netmask 255.255.255.255
static (Data,comcast) udp 1.1.1.84 isakmp 192.168.100.204 isakmp netmask 255.255.255.255
static (Data,comcast) udp 1.1.1.84 4500 192.168.100.204 4500 netmask 255.255.255.255
static (Data,comcast) udp 1.1.1.84 10000 192.168.100.204 10000 netmask 255.255.255.255
static (Data,comcast) tcp 1.1.1.84 50 192.168.100.204 50 netmask 255.255.255.255
static (Data,comcast) OutsideMail 192.168.100.22 netmask 255.255.255.255
static (Voice,comcast) PhonesOutside FonalityServerInside netmask 255.255.255.255
access-group Data_access_in in interface Data
access-group Voice_access_in in interface Voice
access-group comcast_access_in in interface comcast
route comcast 0.0.0.0 0.0.0.0 1.1.1.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Domain protocol nt
aaa-server Domain (Data) host 192.168.100.21
 nt-auth-domain-controller 192.168.100.21
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 Old-Outside
http 0.0.0.0 0.0.0.0 Voice
http 0.0.0.0 0.0.0.0 Data
http 0.0.0.0 0.0.0.0 comcast
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-SHA1 esp-aes esp-sha-hmac
crypto ipsec transform-set strong2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set strong2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map comcast_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map comcast_map interface comcast
crypto isakmp enable Data
crypto isakmp enable comcast
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 Old-Outside
ssh 192.168.100.0 255.255.255.0 Data
ssh 0.0.0.0 0.0.0.0 comcast
ssh timeout 30
console timeout 0
management-access Data
dhcpd address 192.168.100.150-192.168.100.219 Data
dhcpd dns 4.2.2.2 8.8.8.8 interface Data
dhcpd domain cisco.local interface Data
!
dhcpd address 192.168.200.100-192.168.200.199 Voice
dhcpd dns FonalityServerInside interface Voice
dhcpd option 66 ip FonalityServerInside interface Voice
dhcpd option 160 ip FonalityServerInside interface Voice
dhcpd enable Voice
!
priority-queue Old-Outside
  queue-limit   1000
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable comcast
 svc image disk0:/anyconnect-win-3.1.10010-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy ASA internal
group-policy ASA attributes
 dns-server value 192.168.100.21 192.168.100.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASA_splitTunnelAcl
 default-domain value cisco.local
group-policy employeegroup internal
group-policy employeegroup attributes
 dns-server value 192.168.100.21 192.168.100.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASA_splitTunnelAcl
tunnel-group ASA type remote-access
tunnel-group ASA general-attributes
 address-pool VPNClinet
 authentication-server-group Domain
 default-group-policy ASA
tunnel-group ASA ipsec-attributes
 pre-shared-key *****
tunnel-group empRADIUSgroup type remote-access
tunnel-group empRADIUSgroup general-attributes
 address-pool webvpnpool
 authentication-server-group Domain
 default-group-policy employeegroup
tunnel-group empRADIUSgroup webvpn-attributes
 group-alias employeegroup enable
 group-alias ASA enable
!
class-map global-class
 match port udp range 10000 20000
class-map voice
 match port tcp eq sip
!
!
policy-map global_policy
 class global-class
  priority
 class class-default
  inspect pptp
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map voice
!
service-policy global_policy global
service-policy voice interface Old-Outside
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83ca3de8449f699b14c096d43b010db9
: end

 

 

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents