07-08-2014 06:06 AM
Both companies are behind ASA's. Here's the Cisco VPN CLient log:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:06:45.882 07/07/14 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2 14:06:45.882 07/07/14 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
3 14:06:45.888 07/07/14 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
4 14:06:45.888 07/07/14 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
5 14:06:45.895 07/07/14 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
6 14:06:45.896 07/07/14 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
7 14:06:45.898 07/07/14 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
8 14:06:54.398 07/07/14 Sev=Info/4 CM/0x63100002
Begin connection process
9 14:06:54.420 07/07/14 Sev=Info/4 CM/0x63100004
Establish secure connection
10 14:06:54.420 07/07/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "RochesterVPN.XXX.XXX"
11 14:06:54.525 07/07/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 161.242.XXX.XXX.
12 14:06:54.538 07/07/14 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
13 14:06:54.551 07/07/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.242.XXX.XXX
14 14:06:54.703 07/07/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 161.242.XXX.XXX
15 14:06:54.704 07/07/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 161.242.XXX.XXX
16 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
17 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
18 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
19 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
20 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
21 14:06:54.704 07/07/14 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
22 14:06:54.707 07/07/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
23 14:06:54.707 07/07/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
24 14:06:54.708 07/07/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
25 14:06:54.708 07/07/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xE25A, Remote Port = 0x1194
26 14:06:54.708 07/07/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
27 14:06:54.708 07/07/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
28 14:06:55.708 07/07/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
29 14:06:55.708 07/07/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 14:06:55.708 07/07/14 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (172.30.235.172)
31 14:07:05.189 07/07/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:07:15.347 07/07/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:07:25.490 07/07/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:07:31.392 07/07/14 Sev=Info/4 CM/0x63100006
Abort connection attempt before Phase 1 SA up
35 14:07:31.393 07/07/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
36 14:07:31.393 07/07/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=39AB9617851A0C50
37 14:07:31.393 07/07/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 161.242.XXX.XXX
38 14:07:31.394 07/07/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=39AB9617851A0C50
39 14:07:31.409 07/07/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
40 14:07:32.451 07/07/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
41 14:07:32.502 07/07/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
42 14:07:32.502 07/07/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 14:07:32.502 07/07/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 14:07:32.502 07/07/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
07-08-2014 06:27 AM
ASA Version 8.4(4)1
!
hostname remoteASA
domain-name
dns-guard
!
interface GigabitEthernet0/0
shutdown
nameif SAN
security-level 99
ip address 192. 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172. 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10. 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 255.255.255.240
ospf cost 10
ospf network point-to-point non-broadcast
!
interface Management0/0
shutdown
nameif Management
security-level 100
ip address 10. 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
o
object-group network DM_INLINE_NETWORK_2
group-object DROP_DoNotRoute
group-object VulnScannerIPs
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_5
network-object object AD3
network-object object AD4
object-group service DM_INLINE_SERVICE_2
service-object object IPSEC-udp
service-object esp
service-object object View-AJP13
service-object object View-JMS
object-group network DM_INLINE_NETWORK_6
network-object object Xerox
network-object object TestMonitor2
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq www
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq https
access-list Outside_authentication_BA_Auth extended permit tcp any host 64. eq 3389 inactive
access-list inside_nat0_outbound extended permit ip 255.255.255.0 object-group _LAN
access-list inside_nat0_outbound extended permit ip object-group _LAN 1920255.255.255.0
access-list acl_nonat extended permit ip object-group _LAN object-group bbb_LAN
access-list acl_nonat extended permit ip object-group _LAN object lePointLAN
access-list acl_nonat extended permit ip object-group _LAN XX.XX10.0 255.255.255.0
access-list acl_nonat extended permit ip XX.XX10.0 255.255.255.0 object-group bbb_LAN
access-list acl_nonat extended permit ip object-group bbb_LAN XX.XX10.0 255.255.255.0
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0
access-list acl_nonat extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XXX.XXX5.0 255.255.255.0
access-list acl_nonat extended permit ip XXX.XXX200.0 255.255.255.0 XXX.XXX4.0 255.255.255.0
access-list acl_nonat extended permit ip XXX.XXX0.0 255.255.0.0 XX.XX10.0 255.255.255.0
access-list acl_nonat extended permit ip object-group _LAN object-group TestPool
access-list acl_nonat extended permit ip object-group _LAN object-group ccc_LAN
access-list acl_nonat extended permit ip object-group TestPool object-group _LAN
access-list outside_cryptomap extended permit ip 172. 255.255.0.0 192.1 255.255.255.0 inactive
access-list inside_access_out extended deny ip any object-group DM_INLINE_NETWORK_4 log notifications
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_10 object-group _LAN host 161.242.XX.XXX
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX4.0 255.255.255.0
access-list inside_access_out extended permit ip object-group _LAN XXX.XXX5.0 255.255.255.0
access-list inside_access_out extended permit ip object-group _LAN object-group bbb_LAN
access-list inside_access_out extended permit ip object-group _LAN object lePointLAN inactive
access-list inside_access_out extended permit ip object _UTM any
access-list inside_access_out extended permit ip object-group DM_INLINE_NETWORK_10 object-group ccc_LAN
access-list inside_access_out extended permit object-group TCPUDP object-group DNSServers any eq domain
access-list inside_access_out extended permit tcp host XXX.XXX210.56 host 54. object-group DM_INLINE_TCP_2
access-list inside_access_out extended deny object-group TCPUDP any any eq domain
access-list inside_access_out extended permit tcp any any object-group RDP
access-list inside_access_out extended permit tcp object AntiSpam any eq smtp
access-list inside_access_out extended permit tcp object AntiSpamVM any eq smtp
access-list inside_access_out extended permit tcp host XXX.XXX210.58 any eq smtp
access-list inside_access_out extended deny ip any host 216.
access-list inside_access_out extended deny ip any host 204.
access-list inside_access_out extended deny ip any host 216.
access-list inside_access_out extended permit ip host XXX.XXX10.7 any
access-list inside_access_out extended permit udp any any eq syslog
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX10.17
access-list inside_access_out extended permit tcp object EX2007 any eq smtp inactive
access-list inside_access_out extended permit ip XXX.XXX5.0 255.255.255.0 any inactive
access-list inside_access_out extended deny ip any host 67.
access-list inside_access_out extended deny ip host XXX.XXX10.24 any
access-list inside_access_out extended deny tcp any any range 135 netbios-ssn log notifications
access-list inside_access_out extended deny udp any any range 135 139
access-list inside_access_out extended deny tcp any any eq 445
access-list inside_access_out extended deny udp any any eq tftp inactive
access-list inside_access_out extended deny udp any any eq syslog inactive
access-list inside_access_out extended permit udp object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_1 range snmp snmptrap
access-list inside_access_out extended deny udp any any range snmp snmptrap
access-list inside_access_out extended deny tcp any any range 6660 6669
access-list inside_access_out extended deny tcp any any eq pop3
access-list inside_access_out extended deny object-group TCPUDP any any eq kerberos
access-list inside_access_out extended permit object Web8080 XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit object Web8000 XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit object Web8765 XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit object Web8443 XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit object Web81 XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit tcp XXX.XXX0.0 255.255.0.0 any object-group DM_INLINE_TCP_1
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip XXX.XXX0.0 255.255.0.0 any
access-list inside_access_out extended permit ip XXX.XXX4.0 255.255.255.0 any
access-list inside_access_out extended permit ip object-group _LAN host XXX.XXX210.113
access-list inside_access_out extended deny ip any any
!
tcp-map mss-map
!
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu Management 1500
ip local pool ClientPool XX.XX10.1-XX.XX10.254 mask 255.255.255.0
ip local pool InsidePool XXX.XXX10.200-XXX.XXX10.220 mask 255.255.255.0
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ
icmp permit host 64. outside
asdm image disk1:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static _LAN _LAN destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static lePointLAN lePointLAN no-proxy-arp
nat (inside,any) source static obj-XX.XX10.0 obj-XX.XX10.0 destination static bbb_LAN bbb_LAN no-proxy-arp
nat (inside,any) source static bbb_LAN bbb_LAN destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static _LAN _LAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
nat (inside,outside) source static _LAN _LAN destination static ccc_LAN ccc_LAN
nat (inside,outside) source static HOST_CUBE_LOOPBACK HOST_CUBE_LOOPBACK destination static ccc_LAN ccc_LAN
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XXX.XXX5.0 obj-XXX.XXX5.0 no-proxy-arp
nat (inside,any) source static obj-XXX.XXX0.0 obj-XXX.XXX0.0 destination static obj-XX.XX10.0 obj-XX.XX10.0 no-proxy-arp
nat (SAN,any) source static SAN SAN destination static obj-XXX.XXX4.0 obj-XXX.XXX4.0 no-proxy-arp
!
object network AntiSpam
nat (inside,any) static 64. service tcp smtp smtp
object network obj-172.
nat (inside,outside) static 64. service tcp 3389 3389
object network obj-172.
nat (inside,outside) static 64. service tcp https https
object network obj-172.
nat (inside,outside) static 64. service tcp 3389 3389
object network obj-172.
nat (inside,outside) static interface service tcp 5001 5001
object network obj-172.
nat (inside,outside) static interface service udp 5001 5001
object network obj-172.
nat (inside,outside) static securemail.law.com
object network Check_PC
nat (inside,outside) static 64.
object network obj_any
nat (inside,inside) dynamic
object network obj_any-01
nat (inside,outside) dynamic interface
object network obj_any-02
nat (DMZ,outside) dynamic interface
object network obj-XX.XX1.9
nat (DMZ,outside) static 64.
object network obj-XX.XX1.6
nat (DMZ,outside) static 64.
!
nat (inside,outside) after-auto source static obj-172. service http http
access-group SAN_access_in in interface SAN
access-group inside_access_out in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface outside
!
route-map vpn-routes permit 10
match ip address filter-default-static-route
!
route-map vpn-routes permit 20
match interface outside
set metric-type type-2
!
!
router ospf 1
network 172255.255.0.0 area 0
area 0
log-adj-changes
redistribute static metric 10
!
route outside 0.0.0.0 0.0.0.0 64. 1
route inside XXX.XXX0.0 255.255.0.0 XXX.XXX10.5 1
route inside XXX.XXX99.0 255.255.255.252 XXX.XXX10.5 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 3:00:00 absolute uauth 0:30:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAPMAP
map-name sAMAccountName IETF-Radius-Class
map-value sAMAccountName sAMAccountName Tunnel-Group-Lock
dynamic-access-policy-record DfltAccessPolicy
description "WebAccess"
webvpn
url-list value Intranet
url-entry enable
aaa-server BA_Auth protocol radius
aaa-server BA_Auth (inside) host 172.
key *****
aaa-server BA_Auth (inside) host 172.
key *****
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.
server-port 636
ldap-base-dn OU=Users,OU=,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAPMAP
aaa-server LDAP (inside) host 172.
server-port 636
ldap-base-dn OU=Users,OU=,dc=,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator,cn=users,dc=,dc=net
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map LDAPMAP
user-identity default-domain LOCAL
eou allow none
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication match Outside_authentication_BA_Auth outside BA_Auth
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authentication secure-http-client
aaa authentication listener http outside port 1080 redirect
aaa authentication listener https outside port 1443 redirect
http server enable
sysopt connection tcpmss 1460
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map lePoint 3 match address outside_cryptomap_2
crypto dynamic-map lePoint 3 set pfs
crypto dynamic-map lePoint 3 set reverse-route
crypto map inside_map 1 match address outside_cryptomap
crypto map inside_map 1 set pfs
crypto map inside_map 1 set connection-type answer-only
crypto map inside_map 1 set peer 216.
crypto map inside_map 1 set ikev1 phase1-mode aggressive
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 1 set security-association lifetime seconds 28800
crypto map inside_map 1 set security-association lifetime kilobytes 4608000
crypto map inside_map 1 set reverse-route
crypto map inside_map 2 match address outside_cryptomap_1
crypto map inside_map 2 set pfs
crypto map inside_map 2 set connection-type answer-only
crypto map inside_map 2 set peer 208.
crypto map inside_map 2 set ikev1 phase1-mode aggressive
crypto map inside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 2 set reverse-route
crypto map inside_map 3 ipsec-isakmp dynamic
crypto map inside_map 4 match address outside_cryptomap_3
crypto map inside_map 4 set pfs
crypto map inside_map 4 set peer 63.
crypto map inside_map 4 set ikev1 phase1-mode aggressive
crypto map inside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map inside_map 4 set reverse-route
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 31
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-delimiter @
!
class-map ipsecpassthru-traffic
match access-list ipsecpassthru
class-map inspection_default
match default-inspection-traffic
class-map mss-class
match access-list mss-list
class-map http-map1
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ipsec-pass-thru iptmap
parameters
esp
ah
policy-map inspection_policy
class ipsecpassthru-traffic
inspect ipsec-pass-thru iptmap
policy-map global_policy
class http-map1
set connection advanced-options mss-map
class inspection_default
inspect pptp
inspect ftp
inspect ip-options
inspect ipsec-pass-thru
class class-default
policy-map type inspect esmtp esmtp_map
parameters
allow-tls action log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map mss-class
class mss-class
set connection advanced-options mss-map
inspect ipsec-pass-thru iptmap
policy-map type inspect ftp Test
parameters
!
service-policy global_policy global
service-policy mss-class interface outside
smtp-server
07-25-2014 04:46 AM
Hi,
Configuration you have provided is other end LAN's VPN Firewall right? from your LAN you are trying access the other LAN using the RA VPN right?
Also i do not see the complete configurations which has the tunnel group configurations missing from it.... please clarify your scenario, i will help you out with this.
Regards
Karthik
07-28-2014 11:30 PM
Hi,
Your vpn config is purely a site2site vpn type not remote access. Why are you using vpn client in a site2site environment?!
AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide