show crypto ipsec sa peer b.b.b.b (to ASA 5505 IP from Cisco 877)

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr a.a.a.a

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2946, #pkts encrypt: 2946, #pkts digest: 2946
    #pkts decaps: 892, #pkts decrypt: 892, #pkts verify: 892
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 294, #recv errors 0

     local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x30F54E07(821382663)

     inbound esp sas:
      spi: 0xADD39892(2916325522)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 321, flow_id: Motorola SEC 1.0:321, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4461833/3537)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x30F54E07(821382663)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 322, flow_id: Motorola SEC 1.0:322, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4461832/3537)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 587, #pkts encrypt: 587, #pkts digest: 587
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1953, #recv errors 0

     local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xA796E5A1(2811684257)

     inbound esp sas:
      spi: 0x4F62578D(1331845005)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 319, flow_id: Motorola SEC 1.0:319, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4414232/3497)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA796E5A1(2811684257)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 320, flow_id: Motorola SEC 1.0:320, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4414231/3497)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3
    Crypto map tag: SDM_CMAP_1, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

----------------------------------------------------------------------------------------

show crypto ipsec sa peer a.a.a.a (to Cisco 877 from ASA 5505 IP)

peer address: a.a.a.a
    Crypto map tag: WAN_map, seq num: 2, local addr: b.b.b.b

      access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      current_peer: a.a.a.a

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: b.b.b.b, remote crypto endpt.: a.a.a.a

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: ADD39892
      current inbound spi : 30F54E07

    inbound esp sas:
      spi: 0x30F54E07 (821382663)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4373999/2975)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000003F
    outbound esp sas:
      spi: 0xADD39892 (2916325522)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2975)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: WAN_map, seq num: 1, local addr: b.b.b.b

      access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      current_peer: a.a.a.a

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: b.b.b.b, remote crypto endpt.: a.a.a.a

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 4F62578D
      current inbound spi : A796E5A1

    inbound esp sas:
      spi: 0xA796E5A1 (2811684257)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4373999/2933)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x4F62578D (1331845005)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: WAN_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2932)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

----------------------------------------------------------------------------------------------

Also during monitoring of DHCP there is no assigned ip via dhcp. In my opinion it's strange too.

Thanks

Hi Nick,

Thank you for the reply, i see that on the ASA the packets are getting decrypted but the reply packets are not getting encrypted and sent back.

I would like to point on the issue probably around the ASA end point,

a> Now I see that on the ASA you have two crypto maps with same peer IP address on both, please remove the second crypto map (crypto map WAN_map 2)and in the first crypto map's access-list (WAN_1_cryptomap) add the below entry.

access-list WAN_1_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

b>  regarding the dhcpd not working, please add this command to enable it on OLD-Private interface

dhcpd enable OLD-Private

dhcpd dns (dns server ip address)

c> ensure that the hosts behind the OLD-Privatre interface are receiving the ip address.

d> now get the tunnel back up and verify if the traffic is flowing

If the issue still persits please execute the below command on the asa and get me the output

packet-tracer input OLD-Private icmp 192.168.17.10 8 0 192.168.10.33

do not worry about the ip address in the above command, just execute it and let me know the results of the same.

e> I just wanted to let you know this that the security level on all the interfaces are 0, the private lan usually has a securilty level of 100 and the internet facing interface has 0.

Thanks.

Usaid.K

Thanks for your help.

So, after changes ASA configuration become:

...
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0202
nameif OLD-Private
security-level 100
ip address 192.168.17.3 255.255.255.0
ospf cost 10

interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0206
nameif Management
security-level 100
ip address 192.168.1.3 255.255.255.0
ospf cost 10

...

access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

...

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400

...

dhcpd dns 192.168.17.80 (<------------------------------- Not sure which DNS IP should use Internal or External)
!
dhcpd address 192.168.17.95-192.168.17.99 OLD-Private
dhcpd enable OLD-Private
!
dhcpd address 192.168.1.100-192.168.1.131 Management
dhcpd enable Management

---------------------------------------------------------------------------------------------------------------

All hosts behind the OLD-Privatre interface have IP from DHCP server or Static IP.

The result of command packet-tracer input OLD-Private icmp 192.168.17.155 8 0 192.168.10.7 (ASA is able to ping 192.168.17.155 byself)

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         WAN

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip OLD-Private 192.168.17.0 255.255.255.0 WAN 192.168.10.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
  match ip OLD-Private any WAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
  match ip OLD-Private any WAN any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: OLD-Private
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-------------------------------------------------------------------------------------------

P.S. still no DHCP leases. See attached image

Thanks

Hi all,

The problem still persist and very annoying. Will be appresiate for your help.

Cheers

Hi Nick,

Sorry for  the delay,

attached is the link below to configure dhcp on ASA, please ensure that the configuration is according the document.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806c1cd5.shtml

The Issue is with the machines behind the ASA not replying back, we can verify this by placing captures on the ASA, to do the same please follow

the steps given below.

Please enter an IP address which is pingable from ASA and router in the access-list given below.

1> access-list capin permit ip host (Behind ASA host local IP address) host (Behind Router local IP address)

access-list capin permit ip host (Behind Router local IP address) host (Behind ASA host local IP address)

Ex: access-list capin permit ip host 192.168.17.10 host 192.168.10.11

      access-list capin permit ip host 192.168.10.11 host  192.168.17.10

Note: The ip address 192.168.17.10 must be reachable when pinged from ASA

and the ip address 192.168.10.11 should be reachble from router.

2>  capture capin interface OLD-Private access-list capin

3> Now initiate the ping from the machine which is present in the access-list (behind the router) to the destination mentioned in the access-list ( behind the ASA)

4> please enter this command to see the captures show capture capin

5> Paste the output of the captures here and i will get back to you.

Regards,

Usaid.K

Hi Usaid,

ASA able to ping 192.168.17.155, also 877 able to ping 192.168.10.7.

I've added

>access-list capin permit ip host 192.168.17.155

>access-list capin permit ip host 192.168.10.7

>capture capin interface OLD-Private access-list capin

Result of ping and RDP

7 packets captured

   1: 14:43:28.641766 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
   2: 14:43:31.571290 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
   3: 14:43:37.573746 802.1Q vlan#2 P0 192.168.10.7.51639 > 192.168.17.155.3389: S 1985400044:1985400044(0) win 8192
   4: 14:44:12.176107 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
   5: 14:44:17.123605 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
   6: 14:44:22.123879 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
   7: 14:44:27.124612 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request
7 packets shown

DHCP configuration checking right now.

Cheers

Hi Nick,

Thanks for the reply,

I see from the captures that for RDP the SYN packets are going to the machine 192.168.17.155 but the ame machine is not replying back to

192.168.10.7.

It is the same with ping as well, the echo-request are going in, but the echo-reply are not comoing back to the interface because the machine is not responding back to the echo-request.

So there is somehting wrong in your internal lan, please check the configuration of the switch behind the ASA and also check if there are any routers behind the ASA which might not be sending packets back to the ASA

If you can attach a topology of your netowrk it would be great.

Lets verify if the packets are coming to the ASA in first place by initianing a ping and RDP request from the ASA local host.

please enter the following configuration on the ASA, you can copy these commands and paste it on the terminal window.

clear configure access-list capin

access-list capin permit ip host 192.18.17.155 host 192.168.10.7

access-list capin permit ip host 192.168.10.7 host 192.168.17.155

no capture capin

capture capin interface OLD-Private access-list capin

Now initate the RDP request and ping request from 192.168.17.155 to 192.168.10.7

please use these command to see the captures show capture capin

And please provide me the output of capture.

Regards,

Usaid.K

CANRT2(config)# clear configure access-list capin

CANRT2(config)# access-list capin permit ip host 192.18.17.155 host 192.168.10$

CANRT2(config)# access-list capin permit ip host 192.168.10.7 host 192.168.17.$

CANRT2(config)# no capture capin

CANRT2(config)# capture capin interface OLD-Private access-list capin

CANRT2(config)# show capture capin

6 packets captured

   1: 15:37:15.907820 802.1Q vlan#2 P0 192.168.10.7.55314 > 192.168.17.155.3389: S 1051493393:1051493393(0) win 8192

   2: 15:37:21.908461 802.1Q vlan#2 P0 192.168.10.7.55314 > 192.168.17.155.3389: S 1051493393:1051493393(0) win 8192

   3: 15:37:34.494710 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request

   4: 15:37:39.483953 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request

   5: 15:37:44.488957 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request

   6: 15:37:49.483983 802.1Q vlan#2 P0 192.168.10.7 > 192.168.17.155: icmp: echo request

6 packets shown

My topology quite difficult.

ASA connected directly to ISP provider. 0/0 - ISP. 0/6 - Switch.

Also Juniper SRX connected directly to ISP. 1 Switch connected to Juniper. 192.168.17.155 connected to Switch.

192.168.17.155 able to ping and trace cisco internal interface 192.168.17.3.

Cisco unable to traceroute 192.168.17.155, but able to ping (probably firewall settings)

Cheers

Hi Nick,

Please provide the captures when you are intitating ping from 192.168.17.155 to 192.168.10.7

for the same please do this before you do the ping.

clear capture capin

(((((then ping 192.168.10.7 from 192.168.17.155))))

the enter this command show capture capin and provide me with the output.

Thanks,

Usaid.k

Hi Syed,

Sorry for long-long delay. I was very sick.

Let back to our sheeps (russian proverb)

There are 2 responces from Cisco ASA:

Result of the command: "clear capture capin"

ERROR: Capture does not exist

Result of the command: "show capture capin"

ERROR: Capture does not exist

Also there are no messages in Syslog during ping from 192.168.17.155 to 192.168.10.7. By the way I need VPN just in one way - from office 192.168.10.x to 192.168.1.x and 192.168.17.x

Cheers

Hi Syed and all cisco geeks,

The problem is solved. I'm able to RDP, SMB, ping and what ever I need from office to remote network.

Unfortunatelly it still doesn't assign DHCP, but works properly.

The problem was here:

nat (OLD-Private) 0 access-list LAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0

Correct settings:

global (OLD-Private) 1 interface
global (Management) 1 interface
nat (WAN) 1 0.0.0.0 0.0.0.0

Plus add few changes for Reverse NAT (access from remote lan to local)

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0

nat (WAN) 0 access-list inside_nat0_outbound

There is my full config

!
ASA Version 8.2(2)
!
hostname ASA2
domain-name default.domain.invalid
enable password password encrypted
passwd password  encrypted
names
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0002
nameif WAN
security-level 100
ip address b.b.b.b 255.255.248.0
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0202
nameif OLD-Private
security-level 0
ip address 192.168.17.3 255.255.255.0
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0206
nameif Management
security-level 0
ip address 192.168.1.3 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
banner login                    ** W A R N I N G **
banner login   Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login            to the fullest extent of the law.
banner motd                    ** W A R N I N G **
banner motd   Unauthorized access prohibited. All access is
banner motd monitored, and trespassers shall be prosecuted
banner motd            to the fullest extent of the law.
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit ip interface OLD-Private interface WAN log debugging inactive
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 log debugging inactive
access-list OLD-PRIVATE_access_in extended permit object-group TCPUDP host 192.168.10.7 any log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.10.254 interface OLD-Private log debugging inactive
access-list OLD-PRIVATE_access_in extended permit icmp host 192.168.17.155 interface OLD-Private log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging debug-trace
logging class auth trap debugging
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host a.a.a.a WAN
icmp deny any WAN
icmp permit host 192.168.10.7 WAN
icmp permit host b.b.b.b WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (WAN) 1 0.0.0.0 0.0.0.0

nat (WAN) 0 access-list inside_nat0_outbound
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer a.a.a.a
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh a.a.a.a 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config Management
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN_IP
username administrator password password encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool VPN_Admin_IP
default-group-policy admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
default-group-policy admin
tunnel-group a.a.a.a ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!