- Cisco Community
- Technology and Support
- Security
- VPN
- ASA to AWS VPN - Phase 2 Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA to AWS VPN - Phase 2 Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2018 09:41 AM
I have an issue with Phase 2 connecting to AWS VPN. Been banging my head for days.. please help
Error log https://imgur.com/elY9GZ8
show crypto ipsec sa peer https://imgur.com/t0wkRhv
I see no decaps..
Config below, any help appreciated...super frustrating
HDASA# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname HDASA
domain-name HD.CORP
enable password rlP5Dq7.VlYddeXg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 65.213.123.123 255.255.255.192
!
interface GigabitEthernet0/1
nameif VLAN111
security-level 100
ip address 10.1.111.3 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup VLAN111
dns server-group DefaultDNS
name-server 10.1.100.10
name-server 10.1.100.11
domain-name HD.CORP
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 7811_Remote
subnet 172.17.0.0 255.255.0.0
object network NETWORK_OBJ_10.1.111.0_24
subnet 10.1.111.0 255.255.255.0
object network NETWORK_OBJ_10.1.100.0_24
subnet 10.1.100.0 255.255.255.0
object network NETWORK_OBJ_10.1.101.0_24
subnet 10.1.101.0 255.255.255.0
object network NETWORK_OBJ_10.1.105.0_24
subnet 10.1.105.0 255.255.255.0
object network NETWORK_OBJ_10.1.107.0_24
subnet 10.1.107.0 255.255.255.0
object network NETWORK_OBJ_10.1.108.0_24
subnet 10.1.108.0 255.255.255.0
object network NETWORK_OBJ_10.1.109.0_24
subnet 10.1.109.0 255.255.255.0
object network NETWORK_OBJ_10.1.0.0_16
subnet 10.1.0.0 255.255.0.0
object network Dovetail
subnet 192.168.201.0 255.255.255.0
description Dovetail
object network Omniture
subnet 10.152.154.0 255.255.255.192
object network 251DMZ
subnet 192.168.251.0 255.255.255.0
description 251DMZ
object network NETWORK_OBJ_10.1.112.0_26
subnet 10.1.112.0 255.255.255.192
object network JDA_10.227.202.0
subnet 10.227.202.0 255.255.255.0
object network JDASourceNat
range 10.1.100.0 10.1.111.1
description JDASource NAT
object network JDASourceNAT
host 65.213.234.197
description JDASourceNAT
object network edgeWebHosting
subnet 10.10.206.0 255.255.254.0
description 10.10.206/23
object network RockledgeSuperNet
subnet 10.1.100.0 255.255.254.0
description SuperNet LAN
object network TMCulpepper
subnet 10.152.154.0 255.255.255.192
object network TMCulpepper2
subnet 10.152.150.192 255.255.255.224
object network Strongmail
subnet 192.168.144.0 255.255.255.0
description Strongmail
object network HoTLAN(50.50.0.0)
subnet 50.50.0.0 255.255.224.0
description HoT LAN 50.50 (EL Paso)
object network HoTLAN(10.10.0.0)
subnet 10.10.0.0 255.255.0.0
description HoT LAN 10.10 (El Paso)
object network 50.50.10.36
host 50.50.10.36
description Harmony Project
object network 10.10.10.99
host 10.10.10.99
object network 50.50.10.1
host 50.50.10.1
object network 50.50.10.66
host 50.50.10.66
object network 10.10.13.6
host 10.10.13.6
description oraclevirtual2
object network 10.10.13.4
host 10.10.13.4
object network Rockfish
host 192.168.201.4
description For ACC to mydovetail
object network 10.99.115.10
host 10.99.115.10
object network 10.99.115.11
host 10.99.115.11
object network 10.99.116.194
host 10.99.116.194
object network 10.99.116.190
host 10.99.116.190
object network prod.HOT123.com
host 10.10.12.100
description Production EBS Virtual
object network prod1.HOT123.com
host 10.10.12.15
description Production EBS cluster
object network prod2.HOT123.com
host 10.10.12.16
description Production EBS cluster
object network prod3.HOT123.com
host 10.10.12.14
description Production EBS cluster
object network 10.99.0.0
subnet 10.99.0.0 255.255.0.0
object network INTERNAL_HDCORE
host 10.1.111.2
object network INTERNAL_RBSH
host 10.1.111.7
object network obj-SrcNet
subnet 10.1.0.0 255.255.0.0
object network obj-amzn
subnet 172.31.0.0 255.255.0.0
object-group network Local_NETS
network-object object NETWORK_OBJ_10.1.101.0_24
network-object object NETWORK_OBJ_10.1.100.0_24
network-object object NETWORK_OBJ_10.1.105.0_24
network-object object NETWORK_OBJ_10.1.107.0_24
network-object object NETWORK_OBJ_10.1.108.0_24
network-object object NETWORK_OBJ_10.1.109.0_24
network-object object NETWORK_OBJ_10.1.111.0_24
network-object 10.1.112.0 255.255.255.0
network-object object Dovetail
object-group network Remote_NATS
network-object object 7811_Remote
network-object object 251DMZ
object-group network DM_INLINE_NETWORK_1
network-object object NETWORK_OBJ_10.1.100.0_24
network-object object NETWORK_OBJ_10.1.101.0_24
network-object object NETWORK_OBJ_10.1.105.0_24
object-group network DM_INLINE_NETWORK_3
network-object object TMCulpepper
network-object object TMCulpepper2
object-group network DM_INLINE_NETWORK_4
network-object object NETWORK_OBJ_10.1.100.0_24
network-object object NETWORK_OBJ_10.1.101.0_24
network-object object Dovetail
object-group network DM_INLINE_NETWORK_5
network-object object NETWORK_OBJ_10.1.100.0_24
network-object object NETWORK_OBJ_10.1.101.0_24
network-object object 7811_Remote
network-object object Dovetail
object-group network DM_INLINE_NETWORK_6
network-object object Omniture
network-object object TMCulpepper2
object-group network DM_INLINE_NETWORK_2
network-object object NETWORK_OBJ_10.1.100.0_24
network-object 172.17.17.0 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object 172.17.17.0 255.255.255.0
network-object object NETWORK_OBJ_10.1.100.0_24
network-object object Rockfish
object-group network DM_INLINE_NETWORK_7
network-object object Dovetail
network-object object TMCulpepper
object-group network DM_INLINE_NETWORK_8
network-object 10.152.0.0 255.255.0.0
network-object object Dovetail
object-group network SERENE_ACCESS_FOR_ORACLE
description 10.
network-object object 10.10.10.99
network-object object 50.50.10.1
network-object object 50.50.10.36
network-object object 50.50.10.66
network-object host 10.10.10.100
network-object object 10.10.13.6
network-object object 10.10.13.4
network-object object 10.99.115.10
network-object object 10.99.115.11
network-object object 10.99.116.194
network-object object 10.99.116.190
network-object object prod.HOT123.com
network-object object prod1.HOT123.com
network-object object prod2.HOT123.com
network-object object prod3.HOT123.com
network-object host 10.10.12.111
network-object host 10.10.12.110
network-object 10.10.0.0 255.255.0.0
network-object host 10.10.115.10
network-object host 10.1.100.10
network-object object 10.99.0.0
access-list OUTSIDE_cryptomap extended permit ip object-group Local_NETS object-group Remote_NATS
access-list OUTSIDE_cryptomap extended permit ip 10.1.111.0 255.255.255.0 object 7811_Remote
access-list OUTSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list OUTSIDE_access_in extended permit tcp host 24.227.185.99 object INTERNAL_HDCORE eq ssh
access-list OUTSIDE_access_in extended permit tcp host 204.14.168.2 object INTERNAL_HDCORE eq ssh
access-list OUTSIDE_access_in extended permit tcp host 24.227.185.99 object INTERNAL_RBSH eq www
access-list OUTSIDE_access_in extended permit tcp host 204.14.168.2 object INTERNAL_RBSH eq www
access-list OUTSIDE_access_in extended permit gre host 66.203.81.165 host 65.213.123.123
access-list OUTSIDE_access_in extended permit esp host 66.203.81.165 host 65.213.123.123
access-list OUTSIDE_access_in extended permit udp host 66.203.81.165 host 65.213.123.123 eq isakmp
access-list OUTSIDE_access_in extended permit udp host 66.203.81.165 host 65.213.123.123 eq 4500
access-list OUTSIDE_access_in extended permit ah host 66.203.81.165 host 65.213.123.123
access-list OUTSIDE_access_in extended permit ip host 34.194.203.168 host 65.213.123.123
access-list OUTSIDE_access_in extended permit ip host 52.2.95.89 host 65.213.123.123
access-list OUTSIDE_access_in extended permit icmp host 34.194.203.168 host 65.213.123.123
access-list split-tunnel remark Production EBS Cluster
access-list split-tunnel standard permit 10.10.12.0 255.255.255.0
access-list split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list split-tunnel standard permit 172.17.0.0 255.255.0.0
access-list split-tunnel standard deny 192.168.144.0 255.255.255.0
access-list split-tunnel standard deny 10.152.0.0 255.255.0.0
access-list split-tunnel standard permit 10.99.0.0 255.255.0.0
access-list split-tunnel remark HOT123
access-list split-tunnel standard permit 50.50.10.0 255.255.255.0
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
access-list OUTSIDE_cryptomap_5 extended permit ip object RockledgeSuperNet object edgeWebHosting
access-list OUTSIDE_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list HOTACCESS_ACL extended permit ip 10.1.0.0 255.255.0.0 object-group SERENE_ACCESS_FOR_ORACLE
access-list OUTSIDE_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_9 host 66.203.81.165
access-list acl-amzn extended permit ip any 172.31.0.0 255.255.0.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging list Access-list_Deny level informational
logging list Access-list_Deny message 106100
logging list cfg-changes message 111008-111010
logging list VPN_log level informational
logging list VPN_log message 109038
logging list VPN_log message 713052
logging list VPN_log message 113019
logging buffer-size 16384
logging monitor warnings
logging buffered warnings
logging trap cfg-changes
logging history informational
logging asdm errors
logging mail Access-list_Deny
logging from-address HDASA@HOT123.com
logging recipient-address aalvarez@HOT123.com level emergencies
logging permit-hostdown
logging class auth monitor warnings trap informational
logging class config trap informational
logging class ids mail informational trap informational
logging class ip trap errors
logging class np trap errors
logging class rm trap errors
logging class session mail informational trap informational
logging class sys trap informational
logging class vpdn trap errors
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational
mtu OUTSIDE 1500
mtu VLAN111 1500
mtu management 1500
ip local pool User_pool 10.1.112.10-10.1.112.50 mask 255.255.255.0
ip local pool Webvpn_POOL 10.1.112.200-10.1.112.220 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (VLAN111,OUTSIDE) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
nat (VLAN111,OUTSIDE) source static NETWORK_OBJ_10.1.111.0_24 NETWORK_OBJ_10.1.111.0_24 destination static 7811_Remote 7811_Remote no-proxy-arp route-lookup
nat (VLAN111,OUTSIDE) source static NETWORK_OBJ_10.1.0.0_16 NETWORK_OBJ_10.1.0.0_16 destination static NETWORK_OBJ_10.1.112.0_26 NETWORK_OBJ_10.1.112.0_26
nat (any,any) source static RockledgeSuperNet RockledgeSuperNet destination static edgeWebHosting edgeWebHosting no-proxy-arp description EdgeWebNat
nat (any,any) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp inactive
nat (VLAN111,OUTSIDE) source static any any destination static NETWORK_OBJ_10.1.112.0_26 NETWORK_OBJ_10.1.112.0_26 no-proxy-arp route-lookup
nat (any,any) source static any JDASourceNAT destination static JDA_10.227.202.0 JDA_10.227.202.0
!
object network INTERNAL_HDCORE
nat (VLAN111,OUTSIDE) static 65.213.234.253
object network INTERNAL_RBSH
nat (VLAN111,OUTSIDE) static 65.213.234.252
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 65.213.234.193 1
route VLAN111 10.1.100.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.1.101.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.1.105.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.1.106.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.1.107.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.1.108.0 255.255.255.0 10.1.111.2 1
route VLAN111 10.10.0.0 255.255.0.0 10.1.111.2 1
route VLAN111 172.17.0.0 255.255.0.0 10.1.111.2 1
route VLAN111 192.168.144.0 255.255.255.0 10.1.111.2 1
route VLAN111 192.168.201.0 255.255.255.0 10.1.111.2 1
route VLAN111 0.0.0.0 0.0.0.0 10.1.111.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HD_Radius protocol radius
max-failed-attempts 5
aaa-server HD_Radius (VLAN111) host 10.1.100.10
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
aaa-server HD-AD protocol ldap
max-failed-attempts 5
aaa-server HD-AD (VLAN111) host 10.1.100.10
ldap-base-dn dc=HD, dc=CORP
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=jwilliams-cw, cn=users, dc=HD, dc=CORP
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.111.0 255.255.255.0 VLAN111
http 10.1.101.0 255.255.255.0 VLAN111
http 10.1.100.0 255.255.255.0 VLAN111
http 10.1.112.0 255.255.255.0 OUTSIDE
http 10.1.112.0 255.255.255.0 VLAN111
http 10.1.105.0 255.255.255.0 VLAN111
http 172.17.0.0 255.255.0.0 VLAN111
http 10.10.0.0 255.255.0.0 VLAN111
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 172.31.0.10 interface OUTSIDE
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df OUTSIDE
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set pfs group1
crypto map OUTSIDE_map 1 set peer 63.78.123.123
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 3 match address OUTSIDE_cryptomap_4
crypto map OUTSIDE_map 3 set pfs group5
crypto map OUTSIDE_map 3 set peer 66.203.81.165
crypto map OUTSIDE_map 3 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_3
crypto map OUTSIDE_map 4 set peer 209.251.178.4 209.251.178.73
crypto map OUTSIDE_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 5 match address OUTSIDE_cryptomap_5
crypto map OUTSIDE_map 5 set pfs
crypto map OUTSIDE_map 5 set peer 69.63.129.113
crypto map OUTSIDE_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto map OUTSIDE_map 5 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map OUTSIDE_map 5 set ikev2 pre-shared-key *****
crypto map OUTSIDE_map 6 match address acl-amzn
crypto map OUTSIDE_map 6 set pfs
crypto map OUTSIDE_map 6 set peer 34.194.203.168 52.2.95.89
crypto map OUTSIDE_map 6 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 6 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=HDASA
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASA_VPN_Cert
enrollment self
keypair ASA_VPN_Cert_key
crl configure
crypto ca trustpoint CiscoMfgCert
enrollment terminal
crl configure
crypto ca trustpoint UCM_CAPF_Cert
enrollment terminal
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint4
keypair ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint4-1
crl configure
crypto ca trustpoint ASDM_TrustPoint4-2
crl configure
crypto ca trustpoint ASDM_TrustPoint5
crl configure
crypto ca trustpoint ASDM_TrustPoint6
keypair ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint7
crl configure
crypto ca trustpoint ASDM_TrustPoint8
keypair ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint9
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint10
keypair ASDM_TrustPoint4
crl configure
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 enable VLAN111
crypto ikev2 remote-access trustpoint ASDM_TrustPoint6
crypto ikev1 enable OUTSIDE
crypto ikev1 enable VLAN111
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 20
ssh 10.1.112.0 255.255.255.0 OUTSIDE
ssh 10.1.101.0 255.255.255.0 VLAN111
ssh 10.1.112.0 255.255.255.0 VLAN111
ssh 10.1.105.0 255.255.255.0 VLAN111
ssh 10.10.0.0 255.255.0.0 VLAN111
ssh 10.1.100.0 255.255.255.0 VLAN111
ssh 10.1.0.0 255.255.0.0 management
ssh timeout 60
console timeout 0
management-access VLAN111
dhcp-client broadcast-flag
dhcp-client client-id interface OUTSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.41 source OUTSIDE prefer
ntp server 206.246.118.250 source OUTSIDE
ssl encryption aes128-sha1
ssl trust-point ASDM_TrustPoint10 OUTSIDE
ssl certificate-authentication interface OUTSIDE port 443
webvpn
enable OUTSIDE
default-idle-timeout 3600
anyconnect image disk0:/anyconnect-win-3.1.05187-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles Anyconnect_client_profile disk0:/Anyconnect_client_profile.xml
anyconnect profiles HOTACCESS_client_profile disk0:/hotaccess_client_profile.xml
anyconnect profiles Remote_Access_client_profile disk0:/Remote_Access_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GUEST_REMOTEACCESS internal
group-policy GUEST_REMOTEACCESS attributes
dns-server value 10.1.100.10 10.1.100.11
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
default-domain value HD.CORP
group-policy GroupPhoneWebvpn internal
group-policy GroupPhoneWebvpn attributes
banner none
wins-server none
dns-server value 10.1.100.10 10.1.100.11
vpn-simultaneous-logins 2
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ssl-client
default-domain value HD.CORP
address-pools value Webvpn_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 120
anyconnect ssl rekey time 4
anyconnect ssl rekey method new-tunnel
anyconnect dpd-interval client none
anyconnect dpd-interval gateway 300
anyconnect ssl compression deflate
anyconnect ask none default webvpn
group-policy GroupPolicy_66.203.81.165 internal
group-policy GroupPolicy_66.203.81.165 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
wins-server none
dns-server value 10.1.100.10 10.1.100.11
vpn-tunnel-protocol ikev2 ssl-client
default-domain value HD.CORP
webvpn
anyconnect profiles value Anyconnect_client_profile type user
group-policy GroupPolicy_63.78.123.123 internal
group-policy GroupPolicy_63.78.123.123 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_Remote_Access internal
group-policy GroupPolicy_Remote_Access attributes
wins-server value 10.1.100.11
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev2 l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value HD.CORP
webvpn
anyconnect profiles value Remote_Access_client_profile type user
anyconnect ask none default anyconnect
group-policy GroupPolicy_69.63.129.113 internal
group-policy GroupPolicy_69.63.129.113 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_209.251.178.73 internal
group-policy GroupPolicy_209.251.178.73 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy HOTACCESS internal
group-policy HOTACCESS attributes
dns-server value 10.1.100.10
vpn-filter value HOTACCESS_ACL
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value HD.CORP
split-dns value HOT123.com hd.corp corp.phillips.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value HOTACCESS_client_profile type user
group-policy remote_access1 internal
group-policy remote_access1 attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value HD.CORP
split-dns value hd.corp corp.phillips.com
split-tunnel-all-dns enable
group-policy remote_access internal
group-policy remote_access attributes
dns-server value 10.1.100.10 10.1.100.11
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
default-domain value HD.CORP
group-policy HD_remoteaccess internal
group-policy HD_remoteaccess attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value HD.CORP
split-dns value hd.corp corp.phillips.com
split-tunnel-all-dns enable
webvpn
url-list value HD
customization value DfltCustomization
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group 63.78.123.123 type ipsec-l2l
tunnel-group 63.78.123.123 general-attributes
default-group-policy GroupPolicy_63.78.123.123
tunnel-group 63.78.123.123 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Remote_Access type remote-access
tunnel-group Remote_Access general-attributes
address-pool User_pool
authorization-server-group LOCAL
default-group-policy remote_access1
tunnel-group Remote_Access webvpn-attributes
group-alias Remote_Access enable
tunnel-group Remote_Access ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HD_remoteaccess type remote-access
tunnel-group HD_remoteaccess general-attributes
address-pool User_pool
authentication-server-group HD_Radius
default-group-policy HD_remoteaccess
tunnel-group HD_remoteaccess webvpn-attributes
group-alias HD enable
tunnel-group HD_remoteaccess ipsec-attributes
ikev1 pre-shared-key *****
ikev1 radius-sdi-xauth
tunnel-group VPNphone type remote-access
tunnel-group VPNphone general-attributes
address-pool Webvpn_POOL
authentication-server-group HD_Radius LOCAL
default-group-policy GroupPhoneWebvpn
tunnel-group VPNphone webvpn-attributes
group-url https://hdvpn.hd.com/VPNphone enable
tunnel-group CertOnlyTunnelGroup type remote-access
tunnel-group CertOnlyTunnelGroup general-attributes
default-group-policy GroupPhoneWebvpn
tunnel-group CertOnlyTunnelGroup webvpn-attributes
authentication certificate
group-url https://65.213.123.123/CertOnly enable
tunnel-group 69.63.129.113 type ipsec-l2l
tunnel-group 69.63.129.113 general-attributes
default-group-policy GroupPolicy_69.63.129.113
tunnel-group 69.63.129.113 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 209.251.178.73 type ipsec-l2l
tunnel-group 209.251.178.73 general-attributes
default-group-policy GroupPolicy_209.251.178.73
tunnel-group 209.251.178.73 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool User_pool
address-pool Webvpn_POOL
authentication-server-group HD_Radius
default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
tunnel-group GUEST_REMOTEACCESS type remote-access
tunnel-group GUEST_REMOTEACCESS general-attributes
address-pool User_pool
default-group-policy remote_access1
tunnel-group GUEST_REMOTEACCESS ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HOTACCESS type remote-access
tunnel-group HOTACCESS general-attributes
address-pool User_pool
address-pool Webvpn_POOL
default-group-policy HOTACCESS
tunnel-group HOTACCESS webvpn-attributes
group-alias HOTACCESS enable
tunnel-group HOTACCESS ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 66.203.81.165 type ipsec-l2l
tunnel-group 66.203.81.165 general-attributes
default-group-policy GroupPolicy_66.203.81.165
tunnel-group 66.203.81.165 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 34.194.203.168 type ipsec-l2l
tunnel-group 34.194.203.168 general-attributes
default-group-policy filter
tunnel-group 34.194.203.168 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group 52.2.95.89 type ipsec-l2l
tunnel-group 52.2.95.89 general-attributes
default-group-policy filter
tunnel-group 52.2.95.89 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:a2b4fc39acafa0e1130df26336b1d0ac
: end
HDASA#
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2018 12:48 AM
Can you confirm if Azure is using policy based or route-based tunnel. Or share the complete output of the logs from ASDM the logs were not complete i couldn't see what was in the local proxy .
thanks
Shakti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2018 06:53 AM - edited 10-31-2018 07:01 AM
Hi Shakti, sorry, its Amazon AWS. AWS only uses route based routing on their end.
Here's a better view of the logs https://imgur.com/Rnl9dq0
Let me know if I can show anything else that might help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2018 08:48 AM
I was expecting that. The configuration that you have in place is for policy-based VPN. ASA supports route based VPN from 9.7.1. If you are using X-series ASA you can upgrade the code and follow the below document for creating route based VPN
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200982-ASA-IPsec-VTI-connection-Amazon-Web-Serv.html
Policy Based VPN :- managed by ACL's
Route Based VPN :- managed by routing
Thanks
Shakti
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2018 09:13 AM
Thanks for the reply Shakti!
We have a 5525-x, A show ver says were on 8.6
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Is the only option is to upgrade the code? Then do rote based VPN?
Are there any downsides for this? I dont want to interfere with any existing VPN connections we have..
THX!
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2018 09:21 AM
There will be no issues with other VPN. But I highly recommend engaging TAC during the upgrade. While gathering the "sh run" collect using the command "more system:running-config" so that it captures pre-shared in clear text.
Since you are going for a major upgrade you can follow the upgrade path mentioned in the below documentation
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116685-problemsolution-product-00.html
If you don't want to go for upgrade you can
a.) either configure AWS for policy based VPN
b.) Use Cisco IOS or IOS-XE they support route based VPN
Thanks
Shakti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide