Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
0
Replies

Cisco VPN client connection failing

Humongous
Level 1
Level 1

‎07-03-2014 12:35 PM

Trying to connect to another company via their VPN setup.  Can connect to it when outside of our network.  Let me know if you need more information.  TIA! 

 

 

Log from VPN client:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

147    11:40:01.472  07/03/14  Sev=Info/4      CM/0x63100002
Begin connection process

148    11:40:01.495  07/03/14  Sev=Info/4      CM/0x63100004
Establish secure connection

149    11:40:01.495  07/03/14  Sev=Info/4      CM/0x63100024
Attempt connection with server "RochesterVPN.XX.XXX"

150    11:40:01.501  07/03/14  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 161.242.XX.XXX.

151    11:40:01.505  07/03/14  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

152    11:40:01.508  07/03/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.242.XX.XXX

153    11:40:01.513  07/03/14  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

154    11:40:01.513  07/03/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

155    11:40:01.513  07/03/14  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (172.30.235.172)

156    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 161.242.XX.XXX

157    11:40:01.653  07/03/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 161.242.XX.XXX

158    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

159    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

160    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer supports DPD

161    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

162    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

163    11:40:01.653  07/03/14  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

164    11:40:01.659  07/03/14  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

165    11:40:01.659  07/03/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 161.242.XX.XXX

166    11:40:01.660  07/03/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

167    11:40:01.660  07/03/14  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xF593, Remote Port = 0x1194

168    11:40:01.660  07/03/14  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

169    11:40:01.660  07/03/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

170    11:40:11.742  07/03/14  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

171    11:40:13.309  07/03/14  Sev=Info/6      GUI/0x63B0000D
Disconnecting VPN connection.

172    11:40:13.309  07/03/14  Sev=Info/4      CM/0x63100006
Abort connection attempt before Phase 1 SA up

173    11:40:13.309  07/03/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

174    11:40:13.309  07/03/14  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D89195EC0EA7A23A R_Cookie=754870F5DD1134BE) reason = DEL_REASON_RESET_SADB

175    11:40:13.309  07/03/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 161.242.XX.XXX

176    11:40:13.310  07/03/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D89195EC0EA7A23A R_Cookie=754870F5DD1134BE) reason = DEL_REASON_RESET_SADB

177    11:40:13.311  07/03/14  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

178    11:40:13.320  07/03/14  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

179    11:40:14.322  07/03/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

180    11:40:14.322  07/03/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

181    11:40:14.322  07/03/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

182    11:40:14.322  07/03/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
===============================================

 

Scrubbed ASA config:

ASA Version 8.4(4)1 
!
hostname remoteASA
domain-name 
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 nameif SAN
 security-level 99
 ip address 192. 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172. 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/3
 nameif outside
 security-level 0
 ip address  255.255.255.240 
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface Management0/0
 shutdown
 nameif Management
 security-level 100
 ip address 10. 255.255.255.0 
 ospf cost 10
 ospf network point-to-point non-broadcast

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
o
object-group network DM_INLINE_NETWORK_2
 group-object DROP_DoNotRoute
 group-object VulnScannerIPs
object-group service DM_INLINE_SERVICE_1
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq domain 
 service-object udp destination eq domain 
object-group network DM_INLINE_NETWORK_5
 network-object object AD3
 network-object object AD4
object-group service DM_INLINE_SERVICE_2
 service-object object IPSEC-udp 
 service-object esp 
 service-object object View-AJP13 
 service-object object View-JMS 
object-group network DM_INLINE_NETWORK_6
 network-object object Xerox
 network-object object TestMonitor2


access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq www 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq https 
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq 3389 inactive 
access-list inside_nat0_outbound extended permit ip 255.255.255.0 object-group _LAN 
access-list inside_nat0_outbound extended permit ip object-group _LAN 1920255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group _LAN object lePointLAN 
access-list acl_nonat extended permit ip object-group _LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip XX.XX10.0 255.255.255.0 object-group bbb_LAN 
access-list acl_nonat extended permit ip object-group bbb_LAN XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XXX.XXX5.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX200.0 255.255.255.0 XXX.XXX4.0 255.255.255.0 
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XX.XX10.0 255.255.255.0 
access-list acl_nonat extended permit ip object-group _LAN object-group TestPool 
access-list acl_nonat extended permit ip object-group _LAN object-group ccc_LAN 
access-list acl_nonat extended permit ip object-group TestPool object-group _LAN 
access-list outside_cryptomap extended permit ip 172. 255.255.0.0 192.1 255.255.255.0 inactive 
access-list inside_access_out extended deny ip any object-group DM_INLINE_NETWORK_4 log notifications 
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_10 object-group _LAN host 161.242.XX.XXX 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0 
access-list inside_access_out extended permit ip object-group _LAN object-group bbb_LAN 
access-list inside_access_out extended permit ip object-group _LAN object lePointLAN inactive 
access-list inside_access_out extended permit ip object _UTM any 
access-list inside_access_out extended permit ip object-group DM_INLINE_NETWORK_10 object-group ccc_LAN 
access-list inside_access_out extended permit object-group TCPUDP object-group DNSServers any eq domain 
access-list inside_access_out extended permit tcp host XXX.XXX210.56 host 54. object-group DM_INLINE_TCP_2 
access-list inside_access_out extended deny object-group TCPUDP any any eq domain 
access-list inside_access_out extended permit tcp any any object-group RDP 
access-list inside_access_out extended permit tcp object AntiSpam any eq smtp 
access-list inside_access_out extended permit tcp object AntiSpamVM any eq smtp 
access-list inside_access_out extended permit tcp host XXX.XXX210.58 any eq smtp 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended deny ip any host 204. 
access-list inside_access_out extended deny ip any host 216. 
access-list inside_access_out extended permit ip host XXX.XXX10.7 any 
access-list inside_access_out extended permit udp any any eq syslog 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX10.17 
access-list inside_access_out extended permit tcp object EX2007 any eq smtp inactive 
access-list inside_access_out extended permit ip XXX.XXX5.0 255.255.255.0 any inactive 
access-list inside_access_out extended deny ip any host 67. 
access-list inside_access_out extended deny ip host XXX.XXX10.24 any 
access-list inside_access_out extended deny tcp any any range 135 netbios-ssn log notifications 
access-list inside_access_out extended deny udp any any range 135 139 
access-list inside_access_out extended deny tcp any any eq 445 
access-list inside_access_out extended deny udp any any eq tftp inactive 
access-list inside_access_out extended deny udp any any eq syslog inactive 
access-list inside_access_out extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_1 range snmp snmptrap 
access-list inside_access_out extended deny udp any any range snmp snmptrap 
access-list inside_access_out extended deny tcp any any range 6660 6669 
access-list inside_access_out extended deny tcp any any eq pop3 
access-list inside_access_out extended deny object-group TCPUDP any any eq kerberos 
access-list inside_access_out extended permit object Web8080 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8000 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8765 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web8443 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit object Web81 XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit tcp XXX.XXX0.0 255.255.0.0 any object-group DM_INLINE_TCP_1 
access-list inside_access_out extended deny tcp any any eq smtp 
access-list inside_access_out extended permit ip XXX.XXX0.0 255.255.0.0 any 
access-list inside_access_out extended permit ip XXX.XXX4.0 255.255.255.0 any 
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX210.113 
access-list inside_access_out extended deny ip any any 

!
tcp-map mss-map
!

mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu Management 1500
ip local pool ClientPool XX.XX10.1-XX.XX10.254 mask 255.255.255.0
ip local pool InsidePool XXX.XXX10.200-XXX.XXX10.220 mask 255.255.255.0
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
icmp permit host 64. outside
asdm image disk1:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static _LAN _LAN destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static lePointLAN lePointLAN no-proxy-arp
nat (inside,any) source static obj-XX.XX10.0 obj-XX.XX10.0 destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static bbb_LAN bbb_LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
nat (inside,outside) source static _LAN _LAN destination static ccc_LAN ccc_LAN
nat (inside,outside) source static HOST_CUBE_LOOPBACK HOST_CUBE_LOOPBACK destination static ccc_LAN ccc_LAN
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (SAN,any) source static SAN SAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
!
object network AntiSpam
 nat (inside,any) static 64. service tcp smtp smtp 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static 64. service tcp https https 
object network obj-172.
 nat (inside,outside) static 64. service tcp 3389 3389 
object network obj-172.
 nat (inside,outside) static interface service tcp 5001 5001 
object network obj-172.
 nat (inside,outside) static interface service udp 5001 5001 
object network obj-172.
 nat (inside,outside) static securemail.law.com
object network Check_PC
 nat (inside,outside) static 64.
object network obj_any
 nat (inside,inside) dynamic 
object network obj_any-01
 nat (inside,outside) dynamic interface
object network obj_any-02
 nat (DMZ,outside) dynamic interface
object network obj-XX.XX1.9
 nat (DMZ,outside) static 64.
object network obj-XX.XX1.6
 nat (DMZ,outside) static 64.
!
nat (inside,outside) after-auto source static obj-172. service http http
access-group SAN_access_in in interface SAN
access-group inside_access_out in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface outside
!
route-map vpn-routes permit 10
 match ip address filter-default-static-route
!
route-map vpn-routes permit 20
 match interface outside
 set metric-type type-2
!
!
router ospf 1
 network 172255.255.0.0 area 0
 area 0
 log-adj-changes
 redistribute static metric 10
!
route outside 0.0.0.0 0.0.0.0 64. 1
route inside XXX.XXX0.0 255.255.0.0 XXX.XXX10.5 1
route inside XXX.XXX99.0 255.255.255.252 XXX.XXX10.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 0:30:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAPMAP
  map-name  sAMAccountName IETF-Radius-Class
  map-value sAMAccountName sAMAccountName Tunnel-Group-Lock
dynamic-access-policy-record DfltAccessPolicy
 description "WebAccess"
 webvpn
  url-list value Intranet
  url-entry enable
aaa-server BA_Auth protocol radius
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server BA_Auth (inside) host 172.
 key *****
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
aaa-server LDAP (inside) host 172.
 server-port 636
 ldap-base-dn OU=Users,OU=,dc=,dc=net
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map LDAPMAP
user-identity default-domain LOCAL
eou allow none
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication match Outside_authentication_BA_Auth outside BA_Auth
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
aaa authentication secure-http-client
aaa authentication listener http outside port 1080 redirect
aaa authentication listener https outside port 1443 redirect
http server enable

sysopt connection tcpmss 1460

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map lePoint 3 match address outside_cryptomap_2
crypto dynamic-map lePoint 3 set pfs 
crypto dynamic-map lePoint 3 set reverse-route
crypto map inside_map 1 match address outside_cryptomap
crypto map inside_map 1 set pfs 
crypto map inside_map 1 set connection-type answer-only
crypto map inside_map 1 set peer 216. 
crypto map inside_map 1 set ikev1 phase1-mode aggressive 
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 1 set security-association lifetime seconds 28800
crypto map inside_map 1 set security-association lifetime kilobytes 4608000
crypto map inside_map 1 set reverse-route
crypto map inside_map 2 match address outside_cryptomap_1
crypto map inside_map 2 set pfs 
crypto map inside_map 2 set connection-type answer-only
crypto map inside_map 2 set peer 208. 
crypto map inside_map 2 set ikev1 phase1-mode aggressive 
crypto map inside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 2 set reverse-route
crypto map inside_map 3 ipsec-isakmp dynami
crypto map inside_map 4 match address outside_cryptomap_3
crypto map inside_map 4 set pfs 
crypto map inside_map 4 set peer 63. 
crypto map inside_map 4 set ikev1 phase1-mode aggressive 
crypto map inside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 4 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside


crypto isakmp identity address 
crypto isakmp disconnect-notify
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 31
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
group-delimiter @

!
class-map ipsecpassthru-traffic
 match access-list ipsecpassthru
class-map inspection_default
 match default-inspection-traffic
class-map mss-class
 match access-list mss-list
class-map http-map1
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
 parameters
  esp 
  ah 
policy-map inspection_policy
 class ipsecpassthru-traffic
  inspect ipsec-pass-thru iptmap 
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class inspection_default
  inspect pptp 
  inspect ftp 
  inspect ip-options 
  inspect ipsec-pass-thru 
 class class-default
policy-map type inspect esmtp esmtp_map
 parameters
  allow-tls action log
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map mss-class
 class mss-class
  set connection advanced-options mss-map
  inspect ipsec-pass-thru iptmap 
policy-map type inspect ftp Test
 parameters
!
service-policy global_policy global
service-policy mss-class interface outside
smtp-server 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents