ASA#

ASA Version 8.2(1)

!

hostname Active

domain-name test.com

!

interface Ethernet0/0

description LAN/STATE Failover Interface

!

interface Ethernet0/1

speed 100

nameif outside

security-level 0

ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4

!

interface Ethernet0/3

description INSIDE

speed 100

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa821-k8.bin

boot config disk0:/running-config

ftp mode passive

dns server-group DefaultDNS

domain-name test.com

access-list deny-flow-max 1

access-list alert-interval 2

access-list allow extended permit ip any any

access-list VPN extended permit ip any any

access-list OUTSIDE extended permit ip any any

access-list al-outside extended permit ip any host 212.107.106.129

access-list al-outside extended permit ip any any

access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list outside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list DMZ_access_out extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list DMZ_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip any any

access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

failover

failover lan unit primary

failover lan interface failover Ethernet0/0

failover key *****

failover link failover Ethernet0/0

failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any DMZ

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 212.71.53.36 1

route outside 10.2.2.0 255.255.255.0 212.71.53.36 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

service resetoutside

crypto ipsec transform-set mal esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mal 10 set peer 212.107.106.129

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer 212.107.106.129

crypto map IPSec_map 10 set transform-set mal

crypto map IPSec_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 outside

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXXX address 212.71.53.38

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set mal esp-3des esp-md5-hmac

!

crypto map mal 10 ipsec-isakmp

set peer 212.71.53.38

set transform-set mal

match address 120

!

interface Loopback0

ip address 10.3.3.1 255.255.255.0

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 172.20.34.54 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

crypto map mal

!

interface GigabitEthernet0/1

ip address 212.107.106.129 255.255.255.248

ip nat outside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

crypto map mal

!

interface GigabitEthernet0/2

description *!* LAN *!*

ip address 10.2.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http secure-server

!

ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248

ip nat inside source route-map nonat pool OUTPOOL overload

ip route 0.0.0.0 0.0.0.0 172.20.34.53

ip route 10.1.1.0 255.255.255.0 212.107.106.130

ip route 192.168.50.0 255.255.255.0 212.71.53.38

!

ip access-list extended outside

remark CCP_ACL Category=1

permit ip any any log

ip access-list extended outside1

remark CCP_ACL Category=1

permit ip any any log

!

access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 130 permit ip 10.2.2.0 0.0.0.255 any

!

!

!

!

route-map nonat permit 10

match ip address 130

!

!

!

control-plane

ASA Version 8.2(1)
!
hostname Active
domain-name test.com
!
interface Ethernet0/0
description LAN/STATE Failover Interface
!
interface Ethernet0/1
speed 100
nameif outside
security-level 0
ip address 212.71.53.38 255.255.255.224 standby 212.71.53.37
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.50.1 255.255.255.0 standby 192.168.50.4
!
interface Ethernet0/3
description INSIDE
speed 100
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa821-k8.bin
boot config disk0:/running-config
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list deny-flow-max 1
access-list alert-interval 2
access-list allow extended permit ip any any
access-list VPN extended permit ip any any
access-list OUTSIDE extended permit ip any any
access-list al-outside extended permit ip any host 212.107.106.129
access-list al-outside extended permit ip any any
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any any
access-list no-nat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover Ethernet0/0
failover key *****
failover link failover Ethernet0/0
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any DMZ
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 212.71.53.36 1
route outside 10.2.2.0 255.255.255.0 212.71.53.36 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set mal esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mal 10 set peer 212.107.106.129
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 212.107.106.129
crypto map IPSec_map 10 set transform-set mal
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside

==================================================================

Remote-Router#

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXX address 212.71.53.38
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set mal esp-3des esp-md5-hmac
!
crypto map mal 10 ipsec-isakmp
set peer 212.71.53.38
set transform-set mal
match address 120
!
!
!
!
!
interface Loopback0
ip address 10.3.3.1 255.255.255.0
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.20.34.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map mal
!
interface GigabitEthernet0/1
ip address 212.107.106.129 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map mal
!
interface GigabitEthernet0/2
description *!* LAN *!*
ip address 10.2.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat pool OUTPOOL 212.107.106.132 212.107.106.132 netmask 255.255.255.248
ip nat inside source route-map nonat pool OUTPOOL overload
ip route 0.0.0.0 0.0.0.0 172.20.34.53
ip route 10.1.1.0 255.255.255.0 212.107.106.130
ip route 192.168.50.0 255.255.255.0 212.71.53.38
!
ip access-list extended outside
remark CCP_ACL Category=1
permit ip any any log
ip access-list extended outside1
remark CCP_ACL Category=1
permit ip any any log
!
access-list 110 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 deny   ip 10.2.2.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 130
!
control-plane