06-04-2012 03:01 PM
I am trying to confgure a L2L VPN tunnel to a service provider using an ASA 5505.
My problem is that the service provider will not accept traffic from a LAN subnet, they will only accept traffice from a public IP.
We have a small public subnet of x.x.x.50/255.255.255.248, our public IP (outside interface IP on the ASA 5505) is x.x.x.50 and the service provider wants to see traffic coming from us on x.x.x.51
How can I NAT our LAN subnet (10.0.0.0/24) to one public IP (x.x.x.51)?
Im new to Cisco firewalls so essentially I need a complete config
All help is highly appreciated
06-04-2012 03:27 PM
Hello Cato,
For that NAT you need the following:
192.168.12.0/24 Is the ISP network
10.0.0.0 /24 is the Inside local network
access-list test permit ip 10.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0
nat (inside) 10 access-list test
global (outside) 10 x.x.x.51
On the encryption VPN traffic (Crypto ACL)
the encrypted traffic will be from:
access-list VPn permit ip host x.x.x.51 192.168.12.0 255.255.255.0
Regards,
Julio
Rate all the helpful posts
06-04-2012 03:54 PM
Thank you for your answer, I did the suggested configuration but the tunnel will still not connect.
Regarding the L2L VPN setup, should the local network be x.x.x.51 or the local LAN subnet (10.0.0.0/24)?
Best regards,
Cato
06-04-2012 04:00 PM
Hello Cato,
The local subnet will be 10.0.0.0/24 but for the ISP will look like x.x.x,51
Please post entire config for assistance,.
Regards,
06-04-2012 04:16 PM
Thats how it is configured. Im trying to find traces of VPN connection attempts in the log but cant find any?
Best regards,
Cato
06-04-2012 04:20 PM
It could be a problem on the ISP side.
Again please post the configuration for assistance.
Rate all the helpful posts
06-04-2012 11:29 PM
Hello,
Here is the running config:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password ########## encrypted
passwd ######### encrypted
names
name x.x.170.0 FirstDataLAN
name 85.252.49.19 FastWEB
name 10.0.0.1 GW
name 10.0.0.97 PC_Espen
name x.x.x.50 ASA-peer
name x.x.171.161 FDL-VPN-peer
name 195.160.170.79 FDl_service-ip
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address GW 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA-peer 255.255.255.248
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MS_SQL
service-object tcp eq 1433
service-object tcp eq sqlnet
object-group network FDL_VPN
network-object 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log
access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102
access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside
access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any
access-list inside_access_in remark test
access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
pager lines 24
logging enable
logging console informational
logging trap informational
logging asdm informational
logging facility 16
logging host inside PC_Espen
mtu inside 1500
mtu outside 1300
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 2 interface
global (outside) 1 x.x.x.51 netmask 255.0.0.0
nat (inside) 10 access-list VPN
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255
static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_cryptomap_1
crypto map inside_map 1 set pfs
crypto map inside_map 1 set peer FDL-VPN-peer
crypto map inside_map 1 set transform-set FDL
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.200 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FDL internal
group-policy FDL attributes
vpn-idle-timeout none
vpn-filter value VPN
vpn-tunnel-protocol IPSec l2tp-ipsec
username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group x.x.171.161 type ipsec-l2l
tunnel-group x.x.171.161 general-attributes
default-group-policy FDL
tunnel-group x.x.171.161 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 15 retry 10
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b4cb57a31f3c3ee66438e30af7686439
: end
Best regards,
Cato
06-05-2012 05:07 AM
Hello Cato,
Here is what I want you to change as its not properly setup:
nat (inside) 10 access-list VPN
access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
no access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0
no access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list inside_cryptomap_1 extended permit ip host x.x.x.51FirstDataLAN 255.255.255.0
Regards,
Julio
06-05-2012 09:21 AM
Hello,
I (think) I managed to make the suggested changes but the tunnel still wont establish connection.
I did a show crypto isakmp and got this output:
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 1
In Octets: 2880
In Packets: 10
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 3968
Out Packets: 25
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 7
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 7
Initiator Tunnels: 1
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
This is the policy requirements from the service provider:
Isakmp policy:
Encryption algorithm: AES256
Hash algorithm: SHA
Authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
Lifetime: 1440 min
Aggressive mode: None
Ipsec policy:
Encryption algorithm: AES256
Hash algorithm: SHA
Security association lifetime: 3600 seconds
Perfect forward secrecy: Group 2
As far as I can tell the tunnel should be configured according to these requirements?
This is the currently running config:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password ####### encrypted
passwd ###### encrypted
names
name x.x.170.0 FirstDataLAN
name 85.252.49.19 FastWEB
name 10.0.0.1 GW
name 10.0.0.97 PC_Espen
name x.x.x.50 ASA-peer
name x.x.171.161 FDL-VPN-peer
name x.x.170.79 FDl_service-ip
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address GW 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA-peer 255.255.255.248
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MS_SQL
service-object tcp eq 1433
service-object tcp eq sqlnet
object-group network FDL_VPN
network-object 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 84.49.73.48 255.255.255.248 log
access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102
access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside
access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any
access-list inside_access_in remark test
access-list inside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
pager lines 24
logging enable
logging console informational
logging trap informational
logging asdm informational
logging facility 16
logging host inside PC_Espen
mtu inside 1500
mtu outside 1300
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 2 interface
global (outside) 1 x.x.x.51 netmask 255.0.0.0
nat (inside) 10 access-list VPN
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255
static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_cryptomap_2
crypto map inside_map 1 set pfs
crypto map inside_map 1 set peer FDL-VPN-peer
crypto map inside_map 1 set transform-set FDL
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.200 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FDL internal
group-policy FDL attributes
vpn-idle-timeout none
vpn-filter value inside_cryptomap_1
vpn-tunnel-protocol IPSec l2tp-ipsec
username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group x.x.171.161 type ipsec-l2l
tunnel-group x.x.171.161 general-attributes
default-group-policy FDL
tunnel-group x.x.171.161 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 15 retry 10
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:403e2d4f17c5304ff1d9bd8252cb1886
: end
Best regards,
Cato
06-05-2012 09:29 AM
Hello Cato,
You are missing the global command for the NAT
global (outside) 10 x.x.x.51
Regards,
Julio
06-05-2012 09:40 AM
Hello,
I tried that but got this response:
"global for this range already exists"
Best regards,
Cato
06-05-2012 09:45 AM
Hello,
no global (outside) 1 x.x.x.51
global (outside) 10 x.x.x.51
06-05-2012 10:00 AM
Hello,
Thank you, that made me able to make the config change but unfortunately the tunnel is still dead
Best regards,
Cato
06-05-2012 10:05 AM
The configuration looks fine,
Please check the ciphers you are using for phase one and phase 2 with the ISP so you can ensure they match.
Regards,
06-05-2012 10:35 AM
OK I will do that, and thank you for all your help, its highly appreciated.
Could I be so bold to ask if you could have a last look at the current config? I just want to be sure that I havent made a mistake with the last changes. What I did notice is that x.x.x.51 now seems to be x.x.x.48, which is our public network address?
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name x.x.170.0 FirstDataLAN
name 85.252.49.19 FastWEB
name 10.0.0.1 GW
name 10.0.0.97 PC_Espen
name x.x.x.50 ASA-peer
name x.x.171.161 FDL-VPN-peer
name x.x.170.79 FDl_service-ip
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address GW 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ASA-peer 255.255.255.248
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MS_SQL
service-object tcp eq 1433
service-object tcp eq sqlnet
object-group network FDL_VPN
network-object 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log
access-list outside_access_in remark test
access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log
access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102
access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside
access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0
access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any
access-list inside_access_in remark test
access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log
access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0 inactive
pager lines 24
logging enable
logging console informational
logging trap informational
logging asdm informational
logging facility 16
logging host inside PC_Espen
mtu inside 1500
mtu outside 1300
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 3 interface
global (outside) 2 interface
global (outside) 10 x.x.x.51
nat (inside) 10 access-list VPN
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255
static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_cryptomap_2
crypto map inside_map 1 set pfs
crypto map inside_map 1 set peer FDL-VPN-peer
crypto map inside_map 1 set transform-set FDL
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.200 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy FDL internal
group-policy FDL attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 15 retry 2
tunnel-group x.x.171.161 type ipsec-l2l
tunnel-group x.x.171.161 general-attributes
default-group-policy FDL
tunnel-group x.x.171.161 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 15 retry 10
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:03694ab933eb8d601d677fcf0afe7e8f
: end
Best regards,
Cato
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide