- Cisco Community
- Technology and Support
- Security
- VPN
- ASA VPN is Up But Not Not Transmitting Traffic Out(Able to Receive Packets)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA VPN is Up But Not Not Transmitting Traffic Out(Able to Receive Packets)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2016 06:53 PM
Hi Guys, I need help over here!
I successfully setup a VPN between ASA and Fortigate using VPN wizard. The tunnel is up and i perform continuous ping test and telnet from trusted host on both side.
I can see that ASA is receiving traffic from Fortigate, but not transmitting any traffic. I think the problem is on ASA side. Sincerely need advise from experts here. Thanks!
| ASA host network | Fortigate host network | ||
| 172.16.0.0/24 | 192.168.55.0/24 |
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2016 07:01 PM
Hi,
Please share following command output
"Terminal pager 0"
"More system:running-config"
You have attached a backup copy of running configuration. It is not clear and needs to lot of time to understand each and every command.
Regards,
Deepak Kumar
www.deepuverma.in
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2016 07:07 PM
Hi, below is output of the command
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
!
ASA Version 9.5(1)
!
hostname PFPL-TTGB
domain-name phillip.com.sg
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
multicast-routing
names
name 61.8.253.39 TTFIXDROPCOPY description TTFIXDROPCOPY
name 10.2.2.8 DR-CQ-INTERNET-DMZ description For DR CQ Server(Alpha)
name 10.2.2.10 TTNETFIXDCPROXY description Fix Proxy for CS TTNet download
name 61.8.253.40 TTNETFIXDCPROXY-Public description DropCopy for CS
name 10.43.160.167 Aston_Alliance_Svr1
name 10.43.160.164 Aston_Alliance_Svr2
name 10.43.160.17 Aston_Alliance_Svr3
name 10.43.160.94 Aston_Alliance_Svr4
name 10.43.160.212 Aston_Alliance_Svr5
name 10.43.160.0 aston_ip_range
name 10.1.1.52 ASL_SVR2 description windows O.S
name 10.1.1.51 ASL_SVR1 description Linux O.S
name 10.43.168.0 astonalliance_new_ip_range
name 198.133.169.122 PhillipUS_OCC1 description Host at OCC
name 10.2.2.12 PhillipUS_MQ1 description To PhillipUS_OCC
name 198.133.169.199 PhillipUS_OCC2 description host at OCC
name 192.168.50.15 PhillipHK_Ore description phillipHK Ore server
name 203.208.164.84 CQG_Public_IP_Address description for testing to CQG public ip
name 10.4.4.0 LAN_Svrs_NAT_Range description for LAN devices purpose
name 10.4.4.8 GB_DR_ORE_Natted_IP description DR_Ore translated ip
name 172.16.0.8 GB_DR_ORE description DR Ore server
name 192.168.169.0 ObjectPlus_IP
name 63.247.112.0 ECSPROD.QMGR
name 63.247.113.207 ICEQMGRPS
name 63.247.113.0 ICEQMGRUAT
name 61.8.253.38 ICE_MAPPED_SOURCE_IP
name 10.107.60.165 RC_SNMP_SVR description for testing purpose
name 208.92.148.18 PhillipUS_host2 description for PMO UAT user
name 213.127.177.66 PhillipUS_host1 description for PMO UAT user
name 203.116.20.141 pfpl_testing_host
name 172.16.0.2 PFPL_DR_CQSGINTRANET
name 61.8.253.41 DR_CQSGINTRA_MAPPED_IP
name 24.148.64.145 ObjectPlusIP1 description ObjectPlusIP
name 24.1.228.125 Objectplus2 description ObjectPlus
name 61.8.253.42 Nanhua_testing_Webserver
name 172.16.0.55 Nanhua_testing_Intranet_Srv
name 172.16.0.100 Nanhua_testing_DB_Srv
name 172.16.0.7 DR_DC
name 61.8.253.43 Nanhua_testing_mapped_ip description for SQL mappied ip
name 10.1.1.53 ASL_SVR3 description using windows O.S
name 10.1.1.55 ASL_SVR5
name 10.1.1.54 ASL_SVR4 description using Linux O.S
name 10.1.1.56 ASL_SVR6
name 10.1.1.57 ASL_SVR7
name 10.44.198.64 FastFillUser description for Pats purpose
name 10.44.204.1 Pats_Natted_Source_IP description translated ip address for PhillipUS_MQ1
name 172.22.1.9 TT-FIX_source
name 10.10.20.1 Sanjayconnect description sanjay
name 10.10.20.2 Sanjayconnect2 description Sanjayconnect2
name 202.66.204.235 PFPLGBFTP description PFPLGBFTP
ip local pool Support_AnyConnect_pool 10.200.200.1-10.200.200.20 mask 255.255.255.0
ip local pool ITsupport-Pool 10.222.222.1-10.222.222.10 mask 255.255.255.0
ip local pool SanjayAnyconnect 10.10.20.0-10.10.20.4 mask 255.255.255.252
!
interface GigabitEthernet0/0
nameif Citic1
security-level 0
ip address 202.66.204.231 255.255.255.224 standby 202.66.204.232
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/1
nameif Citic2
security-level 0
ip address 119.73.155.171 255.255.255.224 standby 119.73.155.172
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/2
description "TT Users Lan"
nameif TTUser
security-level 50
no ip address
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/2.16
vlan 16
nameif User_Lan
security-level 50
ip address 172.16.0.60 255.255.255.0 standby 172.16.0.61
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/3
nameif Server_Mgmt
security-level 100
ip address 172.22.1.220 255.255.255.0 standby 172.22.1.221
!
interface GigabitEthernet0/3.223
vlan 223
nameif TTUser_Mig
security-level 100
ip address 172.22.3.254 255.255.255.0 standby 172.22.3.253
igmp forward interface Server_Mgmt
!
interface GigabitEthernet0/4
nameif 10.1.1.X
security-level 50
ip address 10.1.1.200 255.255.255.0 standby 10.1.1.201
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/4.2
vlan 2
nameif TT-Svr
security-level 50
ip address 10.2.2.200 255.255.255.0 standby 10.2.2.201
no pim
no igmp
no mfib forwarding
!
interface GigabitEthernet0/5
description LAN/STATE Failover Interface
!
interface Management0/0
management-only
nameif Mgmt
security-level 100
ip address 172.22.5.220 255.255.255.0 standby 172.22.5.221
no pim
no igmp
no mfib forwarding
!
boot system disk0:/asa951-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone SGT 8
dns server-group DefaultDNS
domain-name phillip.com.sg
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Mgmt-Subnet
subnet 172.22.1.0 255.255.255.0
description Management Subnet
object network User-Lan-172.16.0.0
subnet 172.16.0.0 255.255.255.0
object network NETWORK_OBJ_10.200.200.0_27
subnet 10.200.200.0 255.255.255.224
object network NETWORK_OBJ_10.222.222.0_28
subnet 10.222.222.0 255.255.255.240
object network LAN16-Interface
host 172.16.0.60
object service TCP-8080
service tcp destination eq 8080
object network Mgmt-Svr-Net
subnet 172.22.1.0 255.255.255.0
object network PFRemote1
subnet 172.22.1.6 255.255.255.255
description TT_Remote_Server1
object network PFREMOTE1_Citic1_publicIP
host 202.66.204.226
description PFREMOTE1_publicIP
object service TT_10200
service tcp source range 1 65535 destination eq 10200
description TT_10200
object network PFRemote2
host 172.22.1.7
object network PFREMOTE2_Citic1_publicIP
host 202.66.204.227
object network PFREMOTE1_Citic2_publicIP
host 119.73.155.189
object network PROMOTE2_Citic2_publicIP
host 119.73.155.188
description PROMOTE2_Citic2_publicIP
object network PFH_TTFIX_Citic1
host 202.66.204.228
description PFH_TTFIX_Citic1
object network PFH_TTFIX_DropCopy
host 172.22.1.9
description PFH_TTFIX_DropCopy
object network PFH_TTFIX_Citic2
host 119.73.155.187
description PFH_TTFIX_Citic2
object network PRCS1
host 172.22.1.5
description PRCS1
object network PRCS1_Citic1_PublicIP
host 202.66.204.225
description PRCS1_Citic1_PublicIP
object network PRCS1_Citic2_PublicIP
host 119.73.155.186
description PRCS1_Citic2_PublicIP
object network Web1.CQNANHUA.com
host 172.16.0.34
object network CQNANHUA_Citic1_PublicIP
host 202.66.204.229
object network CQNANHUA_Citic2_PublicIP
host 119.73.155.185
object service CQNANHUA_443
service tcp source range 1 65535 destination eq https
object service CQNANHUA_80
service tcp source range 1 65535 destination eq www
object network TTUser_Mig
subnet 172.22.3.0 255.255.255.0
object service TTUser_MIG
service tcp source range 1 65535 destination range 1 65535
object service ServerMng_Service
service tcp source range 1 65535 destination range 1 65535
object network Alston_Capital_Taiwan1
host 192.168.252.3
object network Alston_Capital_Taiwan2
host 192.168.252.2
object network Alston_Capital_TW1
host 172.17.120.79
description Alston_Capital_TW1
object network PFPLTTHKFIXGW
host 172.22.1.3
description PFPLTTHKFIXGW
object network CapitalFutNetwork1
subnet 172.17.122.0 255.255.255.0
description CapitalFutNetwork1
object network CapitalFutNetwork2
subnet 172.17.120.0 255.255.255.0
description CapitalFutNetwork2
object service VPNCAPTW
service udp source eq isakmp destination eq isakmp
description VPNCAPTW
object network CapitalFuturePub
host 60.248.102.98
description CapitalFuturePub
object network SvrMgmtIP
host 172.22.1.220
object network ASL_SVR1
subnet 10.1.1.51 255.255.255.255
description Linux O.S
object network ASL_SVR2
subnet 10.1.1.52 255.255.255.255
description windows O.S
object network ASL_SVR3
subnet 10.1.1.53 255.255.255.255
description using windows O.S
object network ASL_SVR4
subnet 10.1.1.54 255.255.255.255
description using Linux O.S
object network ASL_SVR5
subnet 10.1.1.55 255.255.255.255
object network ASL_SVR6
subnet 10.1.1.56 255.255.255.255
object network ASL_SVR7
subnet 10.1.1.57 255.255.255.255
object network Aston_Ip_Range
subnet 10.43.160.0 255.255.255.0
description Aston_Ip_Range/24
object network Aston_Alliance_Range2
subnet 10.43.168.0 255.255.255.0
description Aston_Alliance_Range2
object network 10_1_1Xrange
subnet 10.1.1.0 255.255.255.0
description 10_1_1Xrange
object network BML_PublicIP
host 202.66.204.230
description BML_PublicIP
object network BML_host
host 172.22.1.21
description BML_host
object service BML_10604
service tcp source range 1 65535 destination eq 10604
description BML_10604
object service BML_10603
service tcp source range 1 65535 destination eq 10603
description BML_10603
object service RDP_Port
service tcp source eq 3389 destination eq 3389
description RDP_Port
object service RDP_Port2
service udp source eq 3389 destination eq 3389
description RDP_Port2
object network BML_PublicIP2
host 119.73.155.184
description BML_PublicIP2
object service TaiwanPort5001
service tcp destination eq 5001
description TaiwanPort5001
object service TaiwanPort5002
service tcp destination eq 5002
description TaiwanPort5002
object network PFPLGBFTP
host 202.66.204.235
object network FTPhost
host 10.1.1.40
description FTPhost
object network PFPLGBFTP2
host 119.73.155.183
description PFPLGBFTP2
object network PhillipUS_MQ1
host 10.2.2.12
description To PhillipUS_OCC
object network PhillipUS_OCC1
host 198.133.169.122
description Host at OCC
object network PhillipUS_OCC2
host 198.133.169.199
description host at OCC
object network 10_2_2Range
subnet 10.2.2.0 255.255.255.0
description 10_2_2Range
object network 119.73.155.182_CQUSPRYSMMQ_public
host 119.73.155.182
description Citic2_CQUSPRYSMMQ_public
object network 10.2.2.12_CQUSPRYSM_localIP
host 10.2.2.12
description 10.2.2.12_CQUSPRYSM_localIP
object network 202.66.204.236_CQUSPRYSMMQ_public
host 202.66.204.236
description Citic1_CQUSPRYSMMQ_public
object network Host_16027
host 172.16.0.27
description Host_16027
object network Desmond_Host1
host 172.16.0.225
description Desmond_Host1
object network Desmond_Host2
host 172.16.0.127
description Desmond_Host2
object network 1721602Web
host 172.16.0.2
object network 1721602WebPublic
host 202.66.204.237
description 1721602WebPublic
object service 1721602
service tcp source range 1 65535 destination eq https
object service 1721602Http
service tcp source range 1 65535 destination eq www
object network 1721602Public2
host 119.73.155.181
description 1721602Public2
object network 1721615Web
host 172.16.0.15
description 1721615Web
object network 1721615public1
host 202.66.204.238
description 1721615public1
object service 17216015htps
service tcp source range 1 65535 destination eq https
description 17216015htps
object service 1721615htp
service tcp source range 1 65535 destination eq www
object network 17216015Public2
host 119.73.155.180
description 17216015Public2
object network DRHost1627
host 172.16.0.27
description TestHost1627
object network CBCPhillip1
host 74.93.83.225
description CBCPhillip1
object network CQGFTP1
host 66.77.164.189
description CQG FTP1
object network GUAVAFTP1
host 208.92.148.18
description GUAVAFTP1
object network PhillipSGFTP
host 203.116.20.141
description PhillipSGFTP
object service SmtpPortNanhua
service tcp source eq smtp destination eq smtp
description SmtpPortNanhua
object network user-L-172.16.0.0
subnet 172.16.0.0 255.255.255.0
object network CQGFTPSOURCE2
host 208.48.16.8
description CQG new source IP
object network 63.247.113.33
host 63.247.113.33
description ICE MQ IP
object network 208.92.144.91
host 208.92.144.91
description Phillip US source
object service ICEMQport
service tcp source eq 1420 destination eq 1420
description ICEMQport
object service TCP4000TWS
service tcp destination eq 4000
description TWS
object service Flex_27195
service tcp source range 1 65535 destination eq 27195
description Flex_27195
object service FLEX7101
service tcp source eq 7101 destination eq 7101
description FLEX7101
object network 172.22.2.0range
subnet 172.22.2.0 255.255.255.0
description TTNET range
object service TCP6990
service tcp destination eq 6990
object service UDP6990
service udp destination eq 6990
object network 192.168.55.0_network
subnet 192.168.55.0 255.255.255.0
object network 172.17.132.0_network
subnet 172.17.132.0 255.255.255.0
object network 172.17.212.0_network
subnet 172.17.212.0 255.255.255.0
object network CQGSFTP
host 172.16.0.92
object network Currenex
host 172.16.0.94
object network 172.16.0.91-116
range 172.16.0.91 172.16.0.116
object network 192.168.55.3-6
range 192.168.55.3 192.168.55.6
object network Citic1_interface
host 202.66.204.231
object service 443
service tcp destination eq https
object network Currenex_WAN_Access
host 172.16.0.94
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object icmp
service-object object TCP-8080
object-group network DM_INLINE_NETWORK_1
network-object object CapitalFutNetwork1
network-object object CapitalFutNetwork2
object-group service Incoming_Services
description Incoming_Services
service-object icmp
service-object esp
service-object ah
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq www
service-object tcp destination eq ssh
service-object udp destination eq isakmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group service Outgoing_Internet
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object object TCP4000TWS
object-group service DM_INLINE_SERVICE_17
service-object ip
service-object object TT_10200
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object icmp
group-object Outgoing_Internet
object-group service DM_INLINE_SERVICE_3
service-object icmp
group-object Outgoing_Internet
service-object icmp echo
object-group service DM_INLINE_SERVICE_6
service-object udp destination eq isakmp
service-object ip
service-object tcp destination eq exec
service-object udp destination eq biff
service-object icmp
service-object icmp information-reply
service-object icmp echo-reply
service-object udp
service-object tcp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object pim
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp
service-object pim
service-object icmp echo
service-object icmp echo-reply
object-group network ASL_Servers_Group
description ASL_Servers_Group
network-object object ASL_SVR1
network-object object ASL_SVR2
network-object object ASL_SVR3
network-object object ASL_SVR4
network-object object ASL_SVR5
network-object object ASL_SVR6
network-object object ASL_SVR7
object-group service TaiwanPORT
service-object icmp
service-object object TaiwanPort5001
service-object object TaiwanPort5002
object-group service DM_INLINE_SERVICE_7
service-object object TaiwanPort5001
service-object object TaiwanPort5002
service-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object Aston_Alliance_Range2
network-object object Aston_Ip_Range
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_10
service-object object BML_10603
service-object object BML_10604
service-object tcp
object-group network DM_INLINE_NETWORK_3
network-object object Aston_Alliance_Range2
network-object object Aston_Ip_Range
object-group network DM_INLINE_NETWORK_4
network-object object Alston_Capital_Taiwan1
network-object object PFPLTTHKFIXGW
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_6
network-object object Aston_Alliance_Range2
network-object object Aston_Ip_Range
object-group network Internal_Access_Group
description Internal_Access_Group22
network-object object PFH_TTFIX_DropCopy
network-object object PFRemote1
network-object object PFRemote2
network-object object PRCS1
object-group service DM_INLINE_SERVICE_8
service-object object BML_10603
service-object object BML_10604
service-object tcp
object-group service DM_INLINE_SERVICE_9
service-object object BML_10603
service-object object BML_10604
service-object object RDP_Port
service-object tcp
object-group service DM_INLINE_SERVICE_11
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_12
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq telnet
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_13
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group network DM_INLINE_NETWORK_5
network-object object PhillipUS_OCC1
network-object object PhillipUS_OCC2
object-group network DM_INLINE_NETWORK_7
network-object object PhillipUS_OCC1
network-object object PhillipUS_OCC2
object-group network DM_INLINE_NETWORK_8
network-object object PhillipUS_OCC1
network-object object PhillipUS_OCC2
object-group service DM_INLINE_SERVICE_14
service-object icmp
service-object icmp time-exceeded
object-group network DM_INLINE_NETWORK_9
network-object object Desmond_Host1
network-object object Desmond_Host2
network-object object Host_16027
object-group network FTPSFTPGroup
description FTPSFTP
network-object object CBCPhillip1
network-object object CQGFTP1
network-object object GUAVAFTP1
network-object object PhillipSGFTP
network-object object CQGFTPSOURCE2
object-group network DM_INLINE_NETWORK_10
network-object host 172.22.1.5
network-object object PRCS1
object-group service DM_INLINE_SERVICE_15
service-object tcp
service-object object TT_10200
service-object object ICEMQport
service-object object Flex_27195
service-object object FLEX7101
object-group network DM_INLINE_NETWORK_11
network-object object 208.92.144.91
network-object object 63.247.113.33
object-group service TCP4000 tcp
port-object eq 4000
object-group network DM_INLINE_NETWORK_12
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_13
network-object object 172.17.132.0_network
network-object object 172.17.212.0_network
object-group service DM_INLINE_SERVICE_16
service-object tcp-udp destination eq www
service-object tcp destination eq ftp
service-object tcp destination eq https
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_18
service-object tcp-udp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_14
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_15
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_16
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_12
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_17
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_13
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_18
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_14
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_19
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_15
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_20
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_16
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_21
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_17
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_22
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_18
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_23
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_19
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_24
network-object object 172.17.132.0_network
network-object object 172.17.212.0_network
object-group protocol DM_INLINE_PROTOCOL_20
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_21
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_25
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group protocol DM_INLINE_PROTOCOL_22
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_26
network-object 172.16.0.0 255.255.255.0
network-object 172.22.1.0 255.255.255.0
network-object object 172.22.2.0range
object-group network DM_INLINE_NETWORK_27
network-object object 172.17.132.0_network
network-object object 172.17.212.0_network
object-group protocol DM_INLINE_PROTOCOL_23
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_28
network-object object 172.17.132.0_network
network-object object 172.17.212.0_network
object-group protocol DM_INLINE_PROTOCOL_24
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_29
network-object object 172.17.132.0_network
network-object object 172.17.212.0_network
access-list LAN16_access_in extended permit object-group DM_INLINE_SERVICE_1 172.16.0.0 255.255.255.0 any log
access-list LAN16_access_in extended permit object-group DM_INLINE_SERVICE_14 any any
access-list LAN16_access_in extended deny ip any any log
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IT_Support_AC_ACL extended permit object-group DM_INLINE_PROTOCOL_1 object Mgmt-Subnet any4
access-list TTUser_Mig_in extended permit object-group DM_INLINE_SERVICE_3 172.22.3.0 255.255.255.0 any
access-list TTUser_Mig_in extended permit ip object TTUser_Mig object Mgmt-Subnet
access-list LAN16_mpc_1 extended permit tcp any4 eq www host 172.16.0.62
access-list LAN16_mpc extended permit tcp host 172.16.0.62 any4 eq www
access-list LAN16_mpc_2 extended permit tcp object User-Lan-172.16.0.0 any4 object-group DM_INLINE_TCP_1
access-list LAN16_mpc_3 extended permit tcp any4 object-group DM_INLINE_TCP_2 object User-Lan-172.16.0.0
access-list Lan22_dot1 extended permit tcp any4 eq www host 172.22.1.160
access-list Lan22_dot1 extended permit tcp host 172.22.1.160 any4 eq www
access-list Lan22_dot1 extended permit tcp any4 eq https host 172.22.1.160
access-list Lan22_dot1 extended permit tcp host 172.22.1.160 any4 eq https
access-list Citic1_cryptomap extended permit object-group DM_INLINE_SERVICE_7 object Alston_Capital_Taiwan1 object-group DM_INLINE_NETWORK_1 log
access-list Citic1_access_in extended permit object-group DM_INLINE_SERVICE_9 any4 object BML_host log
access-list Citic1_access_in extended permit ip any object PhillipUS_MQ1 log
access-list Citic1_access_in extended permit object TT_10200 any4 object PFRemote1
access-list Citic1_access_in extended permit object TT_10200 any4 host 172.22.1.7
access-list Citic1_access_in extended permit object TT_10200 any4 host 172.22.1.9
access-list Citic1_access_in extended permit object TT_10200 any4 object PRCS1
access-list Citic1_access_in extended permit object CQNANHUA_443 any4 host 172.16.0.34
access-list Citic1_access_in extended permit object CQNANHUA_80 any4 host 172.16.0.34
access-list Citic1_access_in extended permit tcp any4 host 172.16.0.34 eq smtp log
access-list Citic1_access_in extended permit object 1721602Http any4 object 1721602Web
access-list Citic1_access_in extended permit object 1721602 any4 object 1721602Web
access-list Citic1_access_in extended permit object 17216015htps any4 object 1721615Web
access-list Citic1_access_in extended permit object 1721615htp any4 object 1721615Web
access-list Citic1_access_in extended permit object-group DM_INLINE_PROTOCOL_9 object-group DM_INLINE_NETWORK_3 object-group ASL_Servers_Group log
access-list Citic1_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object PhillipUS_MQ1 log
access-list Citic1_access_in extended permit object-group DM_INLINE_SERVICE_12 object-group FTPSFTPGroup object FTPhost
access-list Citic1_access_in extended permit icmp any any
access-list Citic1_access_in extended permit icmp any any time-exceeded
access-list Citic1_access_in extended deny ip any any
access-list Citic2_access_in extended permit object-group DM_INLINE_SERVICE_10 any4 object BML_host log
access-list Citic2_access_in extended permit ip any object PhillipUS_MQ1
access-list Citic2_access_in extended permit object TT_10200 any4 object PFRemote1
access-list Citic2_access_in extended permit object TT_10200 any4 host 172.22.1.7
access-list Citic2_access_in extended permit object TT_10200 any4 host 172.22.1.9
access-list Citic2_access_in extended permit object TT_10200 any4 object PRCS1
access-list Citic2_access_in extended permit object CQNANHUA_80 any4 host 172.16.0.34
access-list Citic2_access_in extended permit object CQNANHUA_443 any4 host 172.16.0.34
access-list Citic2_access_in extended permit tcp any4 host 172.16.0.34 eq smtp log
access-list Citic2_access_in extended permit object 1721602Http any4 object 1721602Web
access-list Citic2_access_in extended permit object 1721602 any4 object 1721602Web
access-list Citic2_access_in extended permit object-group DM_INLINE_SERVICE_13 object-group FTPSFTPGroup object FTPhost
access-list Citic2_access_in extended deny ip any any
access-list Server_Mgmt_in extended permit object-group TaiwanPORT object-group DM_INLINE_NETWORK_4 object Alston_Capital_TW1 log
access-list Server_Mgmt_in extended permit object-group DM_INLINE_SERVICE_2 172.22.1.0 255.255.255.0 any log
access-list Server_Mgmt_in extended permit ip object Mgmt-Subnet object TTUser_Mig
access-list Server_Mgmt_in extended permit ip object-group Internal_Access_Group object User-Lan-172.16.0.0 log errors
access-list Server_Mgmt_in extended permit object-group DM_INLINE_SERVICE_8 object BML_host any log
access-list Server_Mgmt_in extended permit object-group DM_INLINE_SERVICE_17 object 172.22.2.0range any
access-list User_Lan_access_in extended permit object-group DM_INLINE_SERVICE_16 object CQGSFTP any
access-list User_Lan_access_in extended permit ip object User-Lan-172.16.0.0 object 10_2_2Range log
access-list User_Lan_access_in extended permit udp 172.16.0.0 255.255.255.0 any log
access-list User_Lan_access_in extended permit object-group DM_INLINE_SERVICE_15 172.16.0.0 255.255.255.0 any log
access-list Citic1_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_2 object-group ASL_Servers_Group object Aston_Ip_Range log
access-list Citic1_cryptomap_2 extended permit object-group DM_INLINE_PROTOCOL_5 object-group ASL_Servers_Group object Aston_Alliance_Range2
access-list 10.1.1.X_access_outbound extended permit ip object-group ASL_Servers_Group object-group DM_INLINE_NETWORK_2 log
access-list 10.1.1.X_access_in extended permit object-group DM_INLINE_PROTOCOL_8 10.1.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 log debugging
access-list 10.1.1.X_access_in extended permit object-group DM_INLINE_SERVICE_11 object FTPhost any log
access-list Citic1_cryptomap_3 extended permit ip object PhillipUS_MQ1 object-group DM_INLINE_NETWORK_5
access-list TT-Svr_access_in extended permit ip object PhillipUS_MQ1 object-group DM_INLINE_NETWORK_8 log
access-list TT-Svr_access_in extended permit ip object 10_2_2Range object User-Lan-172.16.0.0 log
access-list TT-Svr_access_in extended permit ip object 10_2_2Range any log
access-list TT-Svr_access_in remark access to MQ
access-list TT-Svr_access_in extended permit ip object PhillipUS_MQ1 object-group DM_INLINE_NETWORK_11
access-list UserLanCitic2 extended permit object-group Outgoing_Internet object Desmond_Host2 any
access-list Citic1_cryptomap_4 extended permit object-group DM_INLINE_PROTOCOL_4 object-group DM_INLINE_NETWORK_12 object 192.168.55.0_network
access-list Citic1_cryptomap_5 extended permit object-group DM_INLINE_PROTOCOL_19 172.16.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_13
access-list global_access extended permit object-group DM_INLINE_SERVICE_18 any object Currenex
access-list Citic1_cryptomap_6 extended permit object-group DM_INLINE_PROTOCOL_10 object-group DM_INLINE_NETWORK_14 object 192.168.55.0_network
access-list Citic1_cryptomap_7 extended permit object-group DM_INLINE_PROTOCOL_11 object-group DM_INLINE_NETWORK_15 object 192.168.55.0_network
access-list Citic1_cryptomap_8 extended permit object-group DM_INLINE_PROTOCOL_12 object-group DM_INLINE_NETWORK_16 object 192.168.55.0_network
access-list Citic1_cryptomap_9 extended permit object-group DM_INLINE_PROTOCOL_13 object-group DM_INLINE_NETWORK_17 object 192.168.55.0_network
access-list Citic1_cryptomap_10 extended permit object-group DM_INLINE_PROTOCOL_14 object-group DM_INLINE_NETWORK_18 object 192.168.55.0_network
access-list Citic1_cryptomap_11 extended permit object-group DM_INLINE_PROTOCOL_15 object-group DM_INLINE_NETWORK_19 object 192.168.55.0_network
access-list Citic1_cryptomap_12 extended permit object-group DM_INLINE_PROTOCOL_16 object-group DM_INLINE_NETWORK_20 object 192.168.55.0_network
access-list Citic1_cryptomap_13 extended permit object-group DM_INLINE_PROTOCOL_17 object-group DM_INLINE_NETWORK_21 object 192.168.55.0_network
access-list Citic1_cryptomap_14 extended permit object-group DM_INLINE_PROTOCOL_18 object-group DM_INLINE_NETWORK_22 object 192.168.55.0_network
access-list Citic1_cryptomap_15 extended permit object-group DM_INLINE_PROTOCOL_21 object 172.16.0.91-116 object 192.168.55.3-6
access-list Citic1_cryptomap_16 extended permit object-group DM_INLINE_PROTOCOL_20 172.16.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_24
access-list Citic1_cryptomap_17 extended permit object-group DM_INLINE_PROTOCOL_22 object-group DM_INLINE_NETWORK_25 object 192.168.55.0_network
access-list Citic1_cryptomap_18 extended permit ip object-group DM_INLINE_NETWORK_26 object 192.168.55.0_network
access-list Citic1_cryptomap_19 extended permit object-group DM_INLINE_PROTOCOL_23 172.16.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_27
access-list Citic1_cryptomap_20 extended permit object-group DM_INLINE_PROTOCOL_24 172.16.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_28
access-list Citic1_cryptomap_21 extended permit ip 172.16.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_29
pager lines 24
logging enable
logging standby
logging asdm warnings
logging host Server_Mgmt 172.22.1.15
mtu Citic1 1500
mtu Citic2 1500
mtu TTUser 1500
mtu User_Lan 1500
mtu Server_Mgmt 1500
mtu TTUser_Mig 1500
mtu 10.1.1.X 1500
mtu TT-Svr 1500
mtu Mgmt 1500
ip audit name Drop_Attack attack action drop
ip audit interface Citic1 Drop_Attack
ip audit interface Citic2 Drop_Attack
failover
failover lan unit primary
failover lan interface FoverLink GigabitEthernet0/5
failover key phillipttgb
failover replication http
failover link FoverLink GigabitEthernet0/5
failover interface ip FoverLink 10.100.100.1 255.255.255.252 standby 10.100.100.2
no monitor-interface 10.1.1.X
no monitor-interface Mgmt
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-90.bin
asdm location 10.200.200.0 255.255.255.0 Mgmt
asdm location 10.200.200.0 255.255.255.0 Server_Mgmt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Server_Mgmt,Citic1) source static PFPLTTHKFIXGW Alston_Capital_Taiwan1 destination static Alston_Capital_TW1 Alston_Capital_TW1 net-to-net
nat (Citic1,10.1.1.X) source static FTPSFTPGroup interface destination static PFPLGBFTP FTPhost unidirectional
nat (Citic2,10.1.1.X) source static FTPSFTPGroup interface destination static PFPLGBFTP2 FTPhost unidirectional
nat (Citic1,Server_Mgmt) source static any interface destination static BML_PublicIP BML_host unidirectional
nat (Citic2,Server_Mgmt) source static any interface destination static BML_PublicIP2 BML_host unidirectional
nat (Citic1,Server_Mgmt) source static any interface destination static PFREMOTE1_Citic1_publicIP PFRemote1 unidirectional
nat (Citic2,Server_Mgmt) source static any interface destination static PFREMOTE1_Citic2_publicIP PFRemote1 unidirectional
nat (Citic1,TT-Svr) source static any interface destination static 202.66.204.236_CQUSPRYSMMQ_public PhillipUS_MQ1 unidirectional
nat (Citic2,TT-Svr) source static any interface destination static 119.73.155.182_CQUSPRYSMMQ_public PhillipUS_MQ1 unidirectional
nat (TTUser_Mig,Citic1) source dynamic TTUser_Mig interface
nat (Server_Mgmt,Citic1) source dynamic Mgmt-Subnet interface
nat (TT-Svr,Citic1) source dynamic 10_2_2Range interface inactive
nat (User_Lan,Citic1) source dynamic User-Lan-172.16.0.0 interface
nat (User_Lan,Citic2) source dynamic User-Lan-172.16.0.0 interface
nat (Server_Mgmt,Citic1) source dynamic 172.22.2.0range interface
nat (Server_Mgmt,Citic2) source dynamic 172.22.2.0range interface
!
nat (Citic1,Server_Mgmt) after-auto source static any interface destination static PFREMOTE2_Citic1_publicIP PFRemote2 unidirectional
nat (Citic2,Server_Mgmt) after-auto source static any interface destination static PROMOTE2_Citic2_publicIP PFRemote2 unidirectional
nat (Citic1,User_Lan) after-auto source static any interface destination static CQNANHUA_Citic1_PublicIP Web1.CQNANHUA.com unidirectional
nat (Citic2,User_Lan) after-auto source static any interface destination static CQNANHUA_Citic2_PublicIP Web1.CQNANHUA.com unidirectional
nat (Citic1,Server_Mgmt) after-auto source static any interface destination static PFH_TTFIX_Citic1 PFH_TTFIX_DropCopy unidirectional
nat (Citic2,Server_Mgmt) after-auto source static any interface destination static PFH_TTFIX_Citic2 PFH_TTFIX_DropCopy unidirectional
nat (Citic1,Server_Mgmt) after-auto source static any interface destination static PRCS1_Citic1_PublicIP PRCS1 unidirectional
nat (Citic2,Server_Mgmt) after-auto source static any interface destination static PRCS1_Citic2_PublicIP PRCS1 unidirectional
nat (Citic1,User_Lan) after-auto source static any interface destination static 1721615public1 1721615Web unidirectional
nat (Citic2,User_Lan) after-auto source static any interface destination static 17216015Public2 1721615Web unidirectional
nat (Citic1,User_Lan) after-auto source static any interface destination static 1721602WebPublic 1721602Web unidirectional
nat (Citic2,User_Lan) after-auto source static any interface destination static 1721602Public2 1721602Web unidirectional
access-group Citic1_access_in in interface Citic1
access-group Citic2_access_in in interface Citic2
access-group User_Lan_access_in in interface User_Lan
access-group Server_Mgmt_in in interface Server_Mgmt
access-group TTUser_Mig_in in interface TTUser_Mig
access-group 10.1.1.X_access_in in interface 10.1.1.X
access-group TT-Svr_access_in in interface TT-Svr
access-group global_access global
route Citic1 0.0.0.0 0.0.0.0 202.66.204.254 2 track 20
route Citic2 0.0.0.0 0.0.0.0 119.73.155.190 30 track 50
route Server_Mgmt 172.22.2.0 255.255.255.0 172.22.1.254 1
route Server_Mgmt 192.168.2.224 255.255.255.255 172.22.1.248 1
route Server_Mgmt 192.168.100.0 255.255.255.0 172.22.1.248 1
route Server_Mgmt 192.168.200.0 255.255.255.0 172.22.1.248 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 10.200.200.0 255.255.255.0 Server_Mgmt
http 172.22.1.0 255.255.255.0 Server_Mgmt
http 172.22.3.0 255.255.255.0 TTUser_Mig
http 10.222.222.0 255.255.255.0 Server_Mgmt
snmp-server host Server_Mgmt 192.168.100.100 community pfpl@777
snmp-server host Server_Mgmt 192.168.100.5 community pfpl@777 version 2c
no snmp-server location
snmp-server contact Samuel Kyaw
snmp-server community pfpl@777
sla monitor 20
type echo protocol ipIcmpEcho 8.8.8.8 interface Citic1
num-packets 3
frequency 10
sla monitor schedule 20 life forever start-time now
sla monitor 50
type echo protocol ipIcmpEcho 8.8.8.8 interface Citic2
sla monitor schedule 50 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Citic1_map 1 match address Citic1_cryptomap
crypto map Citic1_map 1 set pfs
crypto map Citic1_map 1 set peer 60.248.102.98
crypto map Citic1_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Citic1_map 1 set security-association lifetime kilobytes unlimited
crypto map Citic1_map 2 match address Citic1_cryptomap_1
crypto map Citic1_map 2 set pfs
crypto map Citic1_map 2 set peer 115.113.179.86
crypto map Citic1_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Citic1_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Citic1_map 3 match address Citic1_cryptomap_2
crypto map Citic1_map 3 set pfs
crypto map Citic1_map 3 set peer 115.112.216.212
crypto map Citic1_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Citic1_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Citic1_map 4 match address Citic1_cryptomap_3
crypto map Citic1_map 4 set peer 208.92.149.38
crypto map Citic1_map 4 set ikev1 transform-set ESP-3DES-SHA
crypto map Citic1_map 5 match address Citic1_cryptomap_18
crypto map Citic1_map 5 set pfs
crypto map Citic1_map 5 set peer 110.79.10.227
crypto map Citic1_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Citic1_map 6 match address Citic1_cryptomap_21
crypto map Citic1_map 6 set peer 61.219.22.238
crypto map Citic1_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Citic1_map 6 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Citic1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Citic1_map interface Citic1
crypto map Lan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map interface TTUser
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=PFPL-TTGB
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
email pfpl_support@phillip.com.sg
subject-name CN=202.66.204.231,O=Phillip Future,C=SG,L=Grand Building
ip-address 202.66.204.231
keypair ACSSL
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 202.66.204.231
subject-name CN=202.66.204.231
ip-address 202.66.204.231
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
subject-name CN=PFPL-TTGB.phillip.com.sg,O=Phillip Future,C=SG
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Citic1
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable Citic1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
track 20 rtr 20 reachability
!
track 50 rtr 50 reachability
telnet timeout 5
no ssh stricthostkeycheck
ssh 111.223.126.192 255.255.255.240 Citic1
ssh 10.113.30.221 255.255.255.255 Citic1
ssh 111.223.126.192 255.255.255.240 Citic2
ssh 10.113.30.221 255.255.255.255 Citic2
ssh 10.200.200.0 255.255.255.0 Server_Mgmt
ssh 172.22.1.15 255.255.255.255 Server_Mgmt
ssh 172.22.1.5 255.255.255.255 Server_Mgmt
ssh 10.222.222.0 255.255.255.0 Server_Mgmt
ssh 172.22.1.3 255.255.255.255 Server_Mgmt
ssh 172.22.1.21 255.255.255.255 Server_Mgmt
ssh timeout 7
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 10
management-access Server_Mgmt
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.2.224 source Server_Mgmt
tftp-server Server_Mgmt 172.22.1.15 asa5515_172.22.1.220_config
ssl cipher default custom "DES-CBC3-SHA:RC4-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DES-CBC3-SHA:RC4-SHA:AES128-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DES-CBC3-SHA:RC4-SHA:AES128-SHA:AES256-SHA"
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 TTUser
ssl trust-point ASDM_TrustPoint0 TTUser vpnlb-ip
webvpn
enable Citic1
anyconnect-custom-attr IT-Support-Custom-Attribute description Any Connect Custom Attribues for IT support
anyconnect image disk0:/anyconnect-win-4.0.02052-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.0.02052-k9.pkg 2
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value phillip.com.sg
group-policy ASL2_Remote internal
group-policy ASL2_Remote attributes
wins-server none
dns-server value 165.21.100.88
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value Lan22_dot1
default-domain value phillip.com.sg
ipv6-address-pools none
webvpn
anyconnect ask enable default anyconnect
group-policy GroupPolicy_60.248.102.98 internal
group-policy GroupPolicy_60.248.102.98 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_61.219.22.238 internal
group-policy GroupPolicy_61.219.22.238 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_110.79.10.227 internal
group-policy GroupPolicy_110.79.10.227 attributes
vpn-filter none
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_115.113.179.86 internal
group-policy GroupPolicy_115.113.179.86 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_Support_AnyConnect_Profile internal
group-policy GroupPolicy_Support_AnyConnect_Profile attributes
wins-server none
dns-server value 165.21.100.88
vpn-tunnel-protocol ssl-client
default-domain value phillip.com.sg
webvpn
always-on-vpn profile-setting
group-policy GroupPolicy_IT-support internal
group-policy GroupPolicy_IT-support attributes
wins-server none
dns-server value 165.21.100.88
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IT_Support_AC_ACL
default-domain value phillip.com.sg
webvpn
anyconnect firewall-rule client-interface private none
always-on-vpn profile-setting
group-policy GroupPolicy_115.112.216.212 internal
group-policy GroupPolicy_115.112.216.212 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Support_AnyConnect_Profile type remote-access
tunnel-group Support_AnyConnect_Profile general-attributes
address-pool Support_AnyConnect_pool
default-group-policy GroupPolicy_Support_AnyConnect_Profile
tunnel-group Support_AnyConnect_Profile webvpn-attributes
group-alias Support_AnyConnect_Profile enable
group-url https://202.66.204.231/Anyconnect disable
group-url https://202.66.204.231/support enable
tunnel-group IT-support type remote-access
tunnel-group IT-support general-attributes
address-pool ITsupport-Pool
default-group-policy GroupPolicy_IT-support
strip-realm
strip-group
tunnel-group IT-support webvpn-attributes
group-alias IT-support enable
group-url https://202.66.204.231 enable
without-csd
tunnel-group 60.248.102.98 type ipsec-l2l
tunnel-group 60.248.102.98 general-attributes
default-group-policy GroupPolicy_60.248.102.98
tunnel-group 60.248.102.98 ipsec-attributes
ikev1 pre-shared-key Fut1788#
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key Fut1788#
ikev2 local-authentication pre-shared-key Fut1788#
tunnel-group SanJayAnyconnect type remote-access
tunnel-group SanJayAnyconnect general-attributes
address-pool SanjayAnyconnect
default-group-policy ASL2_Remote
tunnel-group SanJayAnyconnect webvpn-attributes
group-alias astonalliance enable
group-url https://202.66.204.231/Sanconnect enable
without-csd
tunnel-group 115.113.179.86 type ipsec-l2l
tunnel-group 115.113.179.86 general-attributes
default-group-policy GroupPolicy_115.113.179.86
tunnel-group 115.113.179.86 ipsec-attributes
ikev1 pre-shared-key penfut1788#
ikev2 remote-authentication pre-shared-key Fut1788#
ikev2 local-authentication pre-shared-key penfut1788#
tunnel-group 115.112.216.212 type ipsec-l2l
tunnel-group 115.112.216.212 general-attributes
default-group-policy GroupPolicy_115.112.216.212
tunnel-group 115.112.216.212 ipsec-attributes
ikev1 pre-shared-key Penfut1788#
ikev2 remote-authentication pre-shared-key Fut1788#
ikev2 local-authentication pre-shared-key Fut1788#
tunnel-group 208.92.149.38 type ipsec-l2l
tunnel-group 208.92.149.38 ipsec-attributes
ikev1 pre-shared-key pfpl123#
tunnel-group 110.79.10.227 type ipsec-l2l
tunnel-group 110.79.10.227 general-attributes
default-group-policy GroupPolicy_110.79.10.227
tunnel-group 110.79.10.227 ipsec-attributes
ikev1 pre-shared-key PJ0jPfPJPCEkJ0PD
ikev2 remote-authentication pre-shared-key PJ0jPfPJPCEkJ0PD
ikev2 local-authentication pre-shared-key PJ0jPfPJPCEkJ0PD
tunnel-group 61.219.22.238 type ipsec-l2l
tunnel-group 61.219.22.238 general-attributes
default-group-policy GroupPolicy_61.219.22.238
tunnel-group 61.219.22.238 ipsec-attributes
ikev1 pre-shared-key Penfut1788#
ikev2 remote-authentication pre-shared-key Penfut1788#
ikev2 local-authentication pre-shared-key Penfut1788#
!
class-map LAN16-Upload
match access-list LAN16_mpc_2
class-map LAN16-Incoming
match access-list LAN16_mpc_1
class-map LAN16-Download
match access-list LAN16_mpc_3
class-map inspection_default
match default-inspection-traffic
class-map LAN16-Limit-class
description LAN16-Lmit-class
match access-list LAN16_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
policy-map User-policy
class LAN16-Limit-class
inspect http
policy-map LAN16-policy
class LAN16-Upload
police input 10000000 5000
class LAN16-Download
police output 10000000 5000
policy-map LAN16-TrafficShape
class LAN16-Limit-class
inspect http
police input 500000 1500
class LAN16-Incoming
inspect http
police output 500000 1500
police input 500000 1500
!
service-policy global_policy global
service-policy User-policy interface User_Lan
prompt hostname priority state
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 6
subscribe-to-alert-group configuration periodic monthly 6
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:1e66af565d55702ba1d710f7e4baf46b
: end
PFPL-TTGB/pri/act#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2016 07:21 PM
Hi,
Where is the static route for VPN tunnel ?
Please add a static route.
route "interface-name" "destination-subnet" "destination-subnet-mask" "destination-wan-ip"
Regards.
Deepak Kumar
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide