- Cisco Community
- Technology and Support
- Security
- VPN
- site to site between ASA 5510 (8.4(2)) w/ static IP and Dlink DIR130 w/ dynamic IP.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 05:05 AM
I'm trying to set up a site to site VPN link between the ASA5510 that we use exclusively as a VPN endpoint on campus and a D-Link DIR130 VPN Router off campus, at a local business with a dynamically assigned IP. We currently use the ASA for remote access users who use the Cisco VPN client on mobile devices, as well as for a single site to site link to our telecom provider for the purposes of monitoring telecom equipment remotely.
We are looking for a way to cheaply deploy secure VPN connections to local businesses to allow them to use point of sale devices which connect back to systems on campus, so students can use their meal cards at local restaurants, similarly to how they use them at the on-campus cafeteria.
I have experience configuring Cisco switches, APs and routers, but this ASA device absolutely baffles me. I've futzed around with the ASDM 6.4 gui config and tried to match up configurations between the DIR130 and the ASA, but I can never get a VPN connection to come up. Anyone who can point me to an example, or provide me with help on this would be appreciated. I've google searched and found very little that, with my limited experience in ASA configuration, I can apply to my scenario.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 10:00 AM
You would need to configure static route on the 6509 for 192.168.5.0/24 towards the ASA inside interface:
ip route 192.168.5.0 255.255.255.0 131.162.160.2
Assuming that 131.162.160.1 is your 6509
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 10:05 AM
Excellent...
Yes, just check the output of "show cry ipsec sa peer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 10:26 AM
You got it, spot on!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 08:25 AM
Please share your current configuration on the ASA, and also your requirement (IKE policy, IPSec policy, local and remote subnets).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 08:32 AM
Begin ASA Config
: Saved
: Written by ASAADMIN at 08:49:15.576 ADT Tue May 8 2012
!
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name acadiau.ca
enable password * encrypted
passwd * encrypted
names
name 131.162.0.0 acadia description acadia's network
!
interface Ethernet0/0
description Outside interface
nameif outside
security-level 0
ip address 131.162.6.3 255.255.255.0
!
interface Ethernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 131.162.160.2 255.255.248.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 131.162.200.67
domain-name acadiau.ca
object network obj-131.162.64.0
subnet 131.162.64.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.187.0.0
subnet 10.187.18.0 255.255.255.0
object network pbx_allowed
host 24.215.86.154
object network Bell_Aliant_207.179.141.0
subnet 207.179.141.0 255.255.255.128
object network obj-10.187.18.1
host 10.187.18.1
object network obj-10.187.18.2
host 10.187.18.2
object network obj-10.187.18.3
host 10.187.18.3
object network obj-10.187.18.4
host 10.187.18.4
object network obj-131.162.10.249
host 131.162.10.249
object network obj-131.162.9.2
host 131.162.9.2
object network obj-131.162.9.3
host 131.162.9.3
object network obj-131.162.11.30
host 131.162.11.30
object network obj-10.187.18.200
host 10.187.18.200
object network obj-10.187.18.254
host 10.187.18.254
object network obj-131.162.9.200
host 131.162.9.200
object network obj-131.162.9.254
host 131.162.9.254
object network obj-131.162.9.249
host 131.162.9.249
object network obj-10.187.18.249
host 10.187.18.249
access-list acadia-standard_splitTunnelAcl standard permit 131.162.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 131.162.64.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any eq netbios-dgm
access-list inside_access_in extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit udp any any eq netbios-dgm
access-list outside_access_in extended permit udp any any eq netbios-ns
access-list outside_access_in extended permit udp host 142.166.74.148 any eq isakmp
access-list outside_access_in extended permit esp host 142.166.74.148 any
access-list outside_access_in extended permit udp host 142.166.74.148 any eq 4500
access-list test extended permit ip host 131.162.137.86 host 131.162.160.2
access-list test extended permit ip host 131.162.160.2 host 131.162.137.86
access-list splittunnel remark Acadia network
access-list splittunnel standard permit 131.162.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip object obj-10.187.0.0 object Bell_Aliant_207.179.141.0
access-list outside_cryptomap_1 extended permit ip object obj-10.187.0.0 object Bell_Aliant_207.179.141.0
access-list ipsec-conn extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list nonat extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list ipsec-con extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list VPN_NAT extended permit ip 131.162.9.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list VPN_NAT extended permit ip 131.162.10.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list VPN_NAT extended permit ip 131.162.11.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list outside_1_cryptomap extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128
access-list OUTSIDE extended permit udp host 142.166.74.148 any eq isakmp
access-list OUTSIDE extended permit udp host 142.166.74.148 any eq 4500
access-list OUTSIDE extended permit esp host 142.166.74.148 any
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging trap notifications
logging history informational
logging asdm informational
logging facility 22
logging host inside 131.162.137.234
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool PBX-Pool 10.200.0.0-10.200.0.100 mask 255.255.255.0
ip local pool Acadia-Pool 131.162.64.10-131.162.64.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-645-106.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-131.162.10.249 obj-10.187.18.1 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
nat (inside,outside) source static obj-131.162.9.2 obj-10.187.18.2 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
nat (inside,outside) source static obj-131.162.9.3 obj-10.187.18.3 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
nat (inside,outside) source static obj-131.162.11.30 obj-10.187.18.4 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
nat (inside,any) source static any any destination static obj-131.162.64.0 obj-131.162.64.0
nat (inside,any) source static any any destination static obj-10.187.0.0 obj-10.187.0.0
nat (inside,outside) source static obj-131.162.9.200 obj-10.187.18.200 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
nat (inside,outside) source static obj-131.162.9.249 obj-10.187.18.249 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-10.187.0.0
nat (inside,outside) static 131.162.11.30
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 131.162.6.2 1
route inside acadia 255.255.0.0 131.162.160.1 1
route inside 0.0.0.0 0.0.0.0 131.162.160.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Acadia-AD protocol radius
aaa-server Acadia-AD (inside) host 131.162.200.67
key *****
radius-common-pw *
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http acadia 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 142.166.74.148
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map ALIANT 1 match address outside_1_cryptomap
crypto map ALIANT 1 set peer 142.166.74.148
crypto map ALIANT 1 set ikev1 transform-set ESP-3DES-MD5
crypto map ALIANT 1 set nat-t-disable
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=131.162.6.3
keypair ASDM_TrustPoint0
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
fqdn ciscoasa
subject-name CN=ciscoasa
crl configure
crypto ca trustpoint vpn.asa.trustpoint
enrollment terminal
fqdn acadia-vpn.acadiau.ca
subject-name CN=acadia-vpn.acadiau.ca,OU=Technology Services,O=Acadia University,C=CA,St=Nova Scotia,L=Wolfville
keypair vpn.asa
crl configure
crypto ca trustpoint acadia-vpn-09
enrollment terminal
fqdn acadia-vpn.acadiau.ca
subject-name CN=acadia-vpn.acadiau.ca,OU=Technology services,O=Acadia University,C=CA,St=Nova Scotia,L=Wolfville
keypair acadia-vpn-09
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint4
keypair ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint5
keypair ASDM_TrustPoint5
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201d2 3082013b a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2f311430 12060355 0403130b 3133312e 3136322e 362e3331 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 30333031 30313030 31383234
5a170d31 32313232 39303031 3832345a 302f3114 30120603 55040313 0b313331
2e313632 2e362e33 31173015 06092a86 4886f70d 01090216 08636973 636f6173
6130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100c6a0
22ba9438 adbe45f1 32db4a68 9ce4f057 2b990e41 4f7d031c c4458eee 00da694f
65f6ab10 0debf870 baa5eddd 2b739abd 22a3fe30 c32b97bb e90eabee 404fa176
823a999d 4f3077c9 a5bb7fbb b7aaedb6 a1fadc3b 9feed581 dcb5dbdb 1435be31
f66cfd66 698a23e4 2f75a69c ef636b6e 055b9ae6 4a4f2972 752179c8 5a3d0203
01000130 0d06092a 864886f7 0d010104 05000381 81009598 049be3ad a67a2801
35d14ce6 530a91b0 7f2122ce d521c5a0 1d8d0a87 556c2169 de1405ee b5ed027b
e74b9b77 718c77d6 8c1a242a baf12365 c957d89f ab8d5524 ae548aa0 d69392b2
4de41764 2f033a8b dccce028 542c2de9 4afff20c 124a2353 f83f6dd8 0fe636e7
0309bc82 6618631b 31ed3fea 0b74726d 9f359776 d4ee
quit
crypto ca certificate chain vpn.asa.trustpoint
certificate 42207a6930db37d59f671e154f0b4ebb
3082038d 308202f6 a0030201 02021042 207a6930 db37d59f 671e154f 0b4ebb30
0d06092a 864886f7 0d010105 05003081 ce310b30 09060355 04061302 5a413115
30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309
43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375
6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e
20536572 76696365 73204469 76697369 6f6e3121 301f0603 55040313 18546861
77746520 5072656d 69756d20 53657276 65722043 41312830 2606092a 864886f7
0d010901 16197072 656d6975 6d2d7365 72766572 40746861 7774652e 636f6d30
1e170d30 38313032 31313134 3834365a 170d3039 31303231 31313438 34365a30
8191310b 30090603 55040613 02434131 14301206 03550408 130b4e6f 76612053
636f7469 61311230 10060355 04071309 576f6c66 76696c6c 65311a30 18060355
040a1311 41636164 69612055 6e697665 72736974 79311c30 1a060355 040b1313
54656368 6e6f6c6f 67792053 65727669 63657331 1e301c06 03550403 13156163
61646961 2d76706e 2e616361 64696175 2e636130 819f300d 06092a86 4886f70d
01010105 0003818d 00308189 02818100 b5da2b6f 0fedca03 99993b8e 8c852d02
e46d8b1b 58400868 31dced5d 1cbd8938 cc050c73 6bc57952 6f517fcf 8a660261
0b03e7a5 1f033c24 8791fce5 05933054 d9ec344a e81753ad d253c247 920ffe9a
aac9149e 5899210e ef82b17b 0753e869 83731d29 507f94b6 70e4deff dd5d3b1c
0c0682d1 fb8c0036 8bc7450d b091a565 02030100 01a381a6 3081a330 1d060355
1d250416 30140608 2b060105 05070301 06082b06 01050507 03023040 0603551d
1f043930 373035a0 33a03186 2f687474 703a2f2f 63726c2e 74686177 74652e63
6f6d2f54 68617774 65507265 6d69756d 53657276 65724341 2e63726c 30320608
2b060105 05070101 04263024 30220608 2b060105 05073001 86166874 74703a2f
2f6f6373 702e7468 61777465 2e636f6d 300c0603 551d1301 01ff0402 3000300d
06092a86 4886f70d 01010505 00038181 004cf6fc 5621c6f3 db994705 950a56d5
761df1f9 b4f125df 9a8cb530 d1429ea0 f2ffaefa 99ddb611 fc853755 e3a6cbb3
1f46be43 df9f1466 af0f28e5 ffb6e5bf 1f01fa4a 2736bdaa 6cf382a1 a34e8460
2eea2c98 eec883a1 c12ed948 f6de741b 57ea464a fe0ca4da 817d5016 ea7c70eb
7b11ec27 b823d8d0 206d33c0 9ebf6993 38
quit
crypto ca certificate chain acadia-vpn-09
certificate 38b105d2948ffa5322d45c4294cc353c
3082038d 308202f6 a0030201 02021038 b105d294 8ffa5322 d45c4294 cc353c30
0d06092a 864886f7 0d010105 05003081 ce310b30 09060355 04061302 5a413115
30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309
43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375
6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e
20536572 76696365 73204469 76697369 6f6e3121 301f0603 55040313 18546861
77746520 5072656d 69756d20 53657276 65722043 41312830 2606092a 864886f7
0d010901 16197072 656d6975 6d2d7365 72766572 40746861 7774652e 636f6d30
1e170d30 39313030 37313731 3134345a 170d3130 31303231 31313438 34365a30
8191310b 30090603 55040613 02434131 14301206 03550408 130b4e6f 76612053
636f7469 61311230 10060355 04071309 576f6c66 76696c6c 65311a30 18060355
040a1311 41636164 69612055 6e697665 72736974 79311c30 1a060355 040b1313
54656368 6e6f6c6f 67792073 65727669 63657331 1e301c06 03550403 13156163
61646961 2d76706e 2e616361 64696175 2e636130 819f300d 06092a86 4886f70d
01010105 0003818d 00308189 02818100 abbd7835 707d54de 6abbf857 60c72fbd
c094bf1d 56c337ad b31dbf15 4e07513c c599b8ed f5737390 ebcb226c 75886f9a
7609607c 98c0dda7 267491fb 67f14b03 d2930cdf ee2a2082 8e66761c b73e4f72
b6680ae1 797c79ac 49a86fd6 990dfcf4 a79fd702 95cd1619 8e61e53c da48504d
49b46c0b f7238572 0a952347 59da82f9 02030100 01a381a6 3081a330 1d060355
1d250416 30140608 2b060105 05070301 06082b06 01050507 03023040 0603551d
1f043930 373035a0 33a03186 2f687474 703a2f2f 63726c2e 74686177 74652e63
6f6d2f54 68617774 65507265 6d69756d 53657276 65724341 2e63726c 30320608
2b060105 05070101 04263024 30220608 2b060105 05073001 86166874 74703a2f
2f6f6373 702e7468 61777465 2e636f6d 300c0603 551d1301 01ff0402 3000300d
06092a86 4886f70d 01010505 00038181 005ede67 76cde6c7 125f4f40 63cfb175
a0080077 7aa214f5 f0e9148c d8cf1ade 8b882f3f 5d922c09 cbcb0321 f281f95f
3fb3e5d8 a1b32b56 97c5e019 0e363691 dbb222d3 9906d61c d72b82e5 fa82a656
d5817dae 28462e57 10b6310a 6c9010dc 6825d5d6 85997aa0 47b9e0e4 9a3fa094
e008d7c0 7157e5fb 7a1b137b 2ccf2a54 f6
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 0851f959814145cabde024e212c9c20e
30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530
23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520
43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675
15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f
28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008
323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4
1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f
d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e
91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561
1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d
df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302
01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c
01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777
2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279
2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079
00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072
00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074
00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020
006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020
00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052
0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072
00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d
00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064
00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065
00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065
00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406
082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081
843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f
6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e
63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e
636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443
412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08
02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de
79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3
a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c
9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f
5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c
4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d
cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5
108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e
b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0
c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate 01288f785bc34867bd32c1ed63f69627
3082064f 30820537 a0030201 02021001 288f785b c34867bd 32c1ed63 f6962730
0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365
72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 30343233
30303030 30305a17 0d313130 36323632 33353935 395a3081 88310b30 09060355
04061302 43413114 30120603 55040813 0b4e6f76 61205363 6f746961 31123010
06035504 07130957 6f6c6676 696c6c65 311a3018 06035504 0a131141 63616469
6120556e 69766572 73697479 311c301a 06035504 0b131354 6563686e 6f6c6f67
79205365 72766963 65733115 30130603 55040314 0c2a2e61 63616469 61752e63
6130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100ab73
7e1529b8 30bf80f7 1ed2539e ae074063 714dbdb0 fe3c41d8 fc637bdf 1133892a
18196e31 865a1649 e954f94d 56404eae 522c2e6f 60c1f5fb 6c4290b0 974e9364
7e7ea92b c30ce414 495236e2 bc08a7bc ef5eafc8 9a3b7b05 215f1a49 8ed572e4
a15035ce afaec858 6e41afb5 26255eae 96b9094c d765712e 61ceebd4 eec10203
010001a3 82035830 82035430 1f060355 1d230418 30168014 50ea7389 db29fb10
8f9ee501 20d4de79 994883f7 301d0603 551d0e04 16041423 b5dcbf30 8db6fcf5
daef4793 5187e241 03e74f30 23060355 1d11041c 301a820c 2a2e6163 61646961
752e6361 820a6163 61646961 752e6361 307f0608 2b060105 05070101 04733071
30240608 2b060105 05073001 86186874 74703a2f 2f6f6373 702e6469 67696365
72742e63 6f6d3049 06082b06 01050507 3002863d 68747470 3a2f2f77 77772e64
69676963 6572742e 636f6d2f 43414365 7274732f 44696769 43657274 48696768
41737375 72616e63 6543412d 332e6372 74300e06 03551d0f 0101ff04 04030205
a0300c06 03551d13 0101ff04 02300030 65060355 1d1f045e 305c302c a02aa028
86266874 74703a2f 2f63726c 332e6469 67696365 72742e63 6f6d2f63 61332d32
30313064 2e63726c 302ca02a a0288626 68747470 3a2f2f63 726c342e 64696769
63657274 2e636f6d 2f636133 2d323031 30642e63 726c3082 01c60603 551d2004
8201bd30 8201b930 8201b506 0b608648 0186fd6c 01030001 308201a4 303a0608
2b060105 05070201 162e6874 74703a2f 2f777777 2e646967 69636572 742e636f
6d2f7373 6c2d6370 732d7265 706f7369 746f7279 2e68746d 30820164 06082b06
01050507 02023082 01561e82 01520041 006e0079 00200075 00730065 0020006f
00660020 00740068 00690073 00200043 00650072 00740069 00660069 00630061
00740065 00200063 006f006e 00730074 00690074 00750074 00650073 00200061
00630063 00650070 00740061 006e0063 00650020 006f0066 00200074 00680065
00200044 00690067 00690043 00650072 00740020 00430050 002f0043 00500053
00200061 006e0064 00200074 00680065 00200052 0065006c 00790069 006e0067
00200050 00610072 00740079 00200041 00670072 00650065 006d0065 006e0074
00200077 00680069 00630068 0020006c 0069006d 00690074 0020006c 00690061
00620069 006c0069 00740079 00200061 006e0064 00200061 00720065 00200069
006e0063 006f0072 0070006f 00720061 00740065 00640020 00680065 00720065
0069006e 00200062 00790020 00720065 00660065 00720065 006e0063 0065002e
301d0603 551d2504 16301406 082b0601 05050703 0106082b 06010505 07030230
0d06092a 864886f7 0d010105 05000382 01010040 b27e68df 812bdf87 ca0c9e52
8f381272 a241c0b9 efa83cd5 2876ca29 33348976 801c9c5b 1ac55f65 bdc370d3
81fb1229 fc541368 e296786f 283ef3c9 f9f8b896 3f892cf5 6426cf54 ba8e8ec1
88614044 62c8b5be 4aef7e42 6c2af898 1200c29a 658b16a6 1152c347 5be186e8
55f6fe88 32b6dfe0 7ba19b95 a0b57041 09617002 f0cf6443 aa11c249 789661c6
79206f59 0880b972 a4ac9496 31ecbce1 81aa5d99 24e85498 2b0f079e ee164c81
8f6baf2f e4c4e438 cfc7f5c0 36c49f70 c9ba2eab d5f1c9f1 a2ae1e05 bff91221
568888e5 2806ecd8 28471c3d 303815d0 dc735cd4 5e30d515 ad3d430d 4757fe19
d2847f26 a0f3d835 9d8e89ee 69bc61d3 23ef20
quit
crypto ca certificate chain ASDM_TrustPoint5
certificate 044313873b8366b9d531659000caae4a
308206ae 30820596 a0030201 02021004 4313873b 8366b9d5 31659000 caae4a30
0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365
72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3131 30343237
30303030 30305a17 0d313230 38323931 32303030 305a306a 310b3009 06035504
06130243 41311430 12060355 0408130b 4e6f7661 2053636f 74696131 12301006
03550407 1309576f 6c667669 6c6c6531 1a301806 0355040a 13114163 61646961
20556e69 76657273 69747931 15301306 03550403 140c2a2e 61636164 6961752e
63613082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
010100a1 eadbaaf5 b331dee0 7b89bf3c 1afe06b8 08a6678e a9ef4c57 bc3219ab
2c5a3bb2 3cbf46bd 5fd1045e e3170d9d 3f415845 3b998602 0272ed7a 7885bac8
a0e2d596 81c84e20 db011a63 7b17af85 4c208690 03a7327f 41b2afa2 2e03827e
ee74740b 0aa889a2 8914d54d c723591d edf8c8a7 45831e81 5b79e9e3 7426503a
db97b940 75f9569a a4da8f0a 1f93d3c4 e6ea4508 167996a3 018cdbc2 ad2d2fd5
7ee818aa b7daa435 49ef6709 a7fc3266 c42f5920 6391d3d1 3eec4296 5ece3c13
6243a5e4 b28bdced 561671c3 7f21d8b7 6fa6af07 3b75c62f 2e2beebf be68aed9
2ae536b0 c7801084 c275ea7a d15e421f 638ff30a 511e025d ff1a3287 b08f0ad6
40837902 03010001 a3820352 3082034e 301f0603 551d2304 18301680 1450ea73
89db29fb 108f9ee5 0120d4de 79994883 f7301d06 03551d0e 04160414 ded7425e
31072740 4606c546 9e7a3453 19577f79 30230603 551d1104 1c301a82 0c2a2e61
63616469 61752e63 61820a61 63616469 61752e63 61308201 c4060355 1d200482
01bb3082 01b73082 01b30609 60864801 86fd6c01 01308201 a4303a06 082b0601
05050702 01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73
736c2d63 70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505
07020230 8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600
20007400 68006900 73002000 43006500 72007400 69006600 69006300 61007400
65002000 63006f00 6e007300 74006900 74007500 74006500 73002000 61006300
63006500 70007400 61006e00 63006500 20006f00 66002000 74006800 65002000
44006900 67006900 43006500 72007400 20004300 50002f00 43005000 53002000
61006e00 64002000 74006800 65002000 52006500 6c007900 69006e00 67002000
50006100 72007400 79002000 41006700 72006500 65006d00 65006e00 74002000
77006800 69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200
69006c00 69007400 79002000 61006e00 64002000 61007200 65002000 69006e00
63006f00 72007000 6f007200 61007400 65006400 20006800 65007200 65006900
6e002000 62007900 20007200 65006600 65007200 65006e00 63006500 2e307b06
082b0601 05050701 01046f30 6d302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 4506082b 06010505 07300286
39687474 703a2f2f 63616365 7274732e 64696769 63657274 2e636f6d 2f446967
69436572 74486967 68417373 7572616e 63654341 2d332e63 7274300c 0603551d
130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a
2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303131 642e6372
6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f
6d2f6361 332d3230 3131642e 63726c30 1d060355 1d250416 30140608 2b060105
05070301 06082b06 01050507 0302300e 0603551d 0f0101ff 04040302 05a0300d
06092a86 4886f70d 01010505 00038201 01004ab2 a4135e6f c73d5970 6756260f
e693b61a fc1be77d e23a5c4c 7bfe43fb 9b704285 f48eb6b8 5cfa2a2b aa9b3c08
5c4ec3d1 6862b94f 3b201f49 813bd974 8b4fd03f 3480037d 0dfed35b 6a28bd42
35630eda 6a52ba3d 1e869e87 10d93081 5fdb2355 e3b747e9 0b914d0e 10948823
54805613 8168ba0b 9273b4f7 e55a0df4 749589e0 4d3cb1b4 0f03b512 aa8d163c
d50346a1 6839a785 9be81b83 e5f9ef90 1fc60704 8fc5bc43 a2f28197 e5574834
e7395d11 89357230 f8cf15d2 a82fd68e eb3b98e0 1c494b79 6d4cf6fb e406c7b0
b23bf3e2 ae5eedfb 10bcdb84 2fca761f 3c04aeaf 253ec7af 496c00f7 c3a04c8f
ca5c9c70 7ea0c5ca 018ec106 4a3b37ab 5bb7
quit
certificate ca 0851f959814145cabde024e212c9c20e
30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30
0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530
13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077
77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365
72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d
30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b
30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049
6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530
23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520
43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675
15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f
28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008
323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4
1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f
d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e
91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561
1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d
df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302
01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c
01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777
2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279
2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079
00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072
00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074
00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020
006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020
00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052
0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072
00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d
00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064
00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065
00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065
00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406
082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a
2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081
843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f
6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e
63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e
636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443
412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08
02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de
79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3
a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c
9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f
5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c
4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d
cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5
108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e
b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0
c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5
quit
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 ipsec-over-tcp port 12777
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet 131.162.137.86 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh acadia 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 131.162.200.8 source inside prefer
ssl trust-point ASDM_TrustPoint5 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4
anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 5
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 6
anyconnect image disk0:/anyconnect-linux-2.5.2019-k9.pkg 7
anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 8
anyconnect image disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 9
anyconnect enable
internal-password enable
smart-tunnel list AllExternalApplications All-Applications * platform windows
cache
cache-static-content enable
error-recovery disable
group-policy pbx-policy internal
group-policy pbx-policy attributes
dns-server value 131.162.200.67 131.162.200.66
vpn-tunnel-protocol ikev1 l2tp-ipsec
address-pools value PBX-Pool
group-policy DfltGrpPolicy attributes
webvpn
customization value Acadia
smart-tunnel enable AllExternalApplications
group-policy acadia-standard internal
group-policy acadia-standard attributes
dns-server value 131.162.200.67 131.162.200.66
vpn-tunnel-protocol ikev1 l2tp-ipsec
address-pools value Acadia-Pool
webvpn
customization value Acadia
group-policy acadia-library internal
group-policy acadia-library attributes
dns-server value 131.162.200.67 131.162.200.66
vpn-tunnel-protocol ikev1 l2tp-ipsec
address-pools value Acadia-Pool
webvpn
customization value Acadia
group-policy AcadiaSSLPolicy internal
group-policy AcadiaSSLPolicy attributes
dns-server value 131.162.200.67 131.162.200.66
vpn-tunnel-protocol ssl-client ssl-clientless
address-pools value Acadia-Pool
webvpn
url-list value NewList
customization value Ryan
hidden-shares none
activex-relay disable
file-entry enable
file-browsing enable
url-entry enable
group-policy split internal
group-policy split attributes
dns-server value 131.162.200.67 131.162.200.66
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
address-pools value Acadia-Pool
username pbxvpn password * encrypted privilege 15
username pbxvpn attributes
service-type admin
username ASAADMIN password * encrypted privilege 15
username retired password * nt-encrypted
username retired attributes
service-type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group Acadia-AD LOCAL
authorization-server-group LOCAL
default-group-policy AcadiaSSLPolicy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization Ryan
tunnel-group acadia-standard type remote-access
tunnel-group acadia-standard general-attributes
address-pool Acadia-Pool
authentication-server-group Acadia-AD LOCAL
default-group-policy acadia-standard
tunnel-group acadia-standard ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group acadia-library type remote-access
tunnel-group acadia-library general-attributes
address-pool Acadia-Pool
authentication-server-group Acadia-AD LOCAL
default-group-policy acadia-library
tunnel-group acadia-library ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group AcadiaSSL type remote-access
tunnel-group AcadiaSSL general-attributes
address-pool Acadia-Pool
authentication-server-group Acadia-AD LOCAL
default-group-policy AcadiaSSLPolicy
tunnel-group AcadiaSSL webvpn-attributes
customization Acadia
group-alias SSL enable
group-url https://131.162.6.3/SSL enable
tunnel-group pbx-policy type remote-access
tunnel-group pbx-policy general-attributes
address-pool PBX-Pool
authorization-server-group LOCAL
tunnel-group pbx-policy ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ACSBE type remote-access
tunnel-group ACSBE general-attributes
address-pool Acadia-Pool
authentication-server-group Acadia-AD
default-group-policy split
tunnel-group ACSBE ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 142.166.74.148 type ipsec-l2l
tunnel-group 142.166.74.148 general-attributes
default-group-policy pbx-policy
tunnel-group 142.166.74.148 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6d08fbcfbb824dab26658d852c513740
END ASA CONFIG
The DIR-130 has 192.168.5.0/24 local subnet behind it, and we would like anyone who is behind the DIR-130 to have access to anything on our 131.162.0.0/16 subnet (where the ASA lives) through the secure tunnel. I would like the tunnel to be as secure as is suitable for financial data, but I am not really sure what the requirements are beyond that. Having any kind of IPSec tunnel up between the two boxes would be sufficient, i should think.
I apologize if our ASA config is snarled. It is a matter of "too many cooks" over the years, and there is likely a lot of dead wood in that config. The box is in daily use, so I fear digging in it too much to root out the cruft because, as I said, I don't REALLY know what I'm doing in there.
Thank you for your reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 08:44 AM
What has been configured on the router end? Can you please share the config?
Can you also share the output of the following:
show cry isa sa
show cry ipsec sa peer
On the ASA, you would need to configure NAT exemption and pre-shared-key as follows:
object network local-VPN
subnet 131.162.0.0 255.255.0.0
object network remote-VPN
subnet 192.168.5.0 255.255.255.0
nat (inside,outside) source static local-VPN local-VPN destination static remote-VPN remote-VPN
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 08:57 AM
The router end (you mean the DIR130, I presume) is very simplistic. I have attached an image of it's VPN config.
I have to ask, is it possible that adding those lines of config you provided will interrupt the Remote Access clients or the site to site that is already in place?
Result of the command: "show cry isa sa"
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 142.166.74.148
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 142.177.65.249
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
When you say
Result of the command: "show cry ipsec sa peer 24.215.86.154"
There are no ipsec sas for peer 24.215.86.154
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:08 AM
No, it will not interrupt the existing configuration as it will only affect the vpn tunnel to Dlink.
On your DLink configuration, under Remote IP, shouldn't you configured the IP Address (131.162.6.3) ?
Please also change the following:
FROM:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
TO:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:13 AM
Good point. That fqdn resolves to 131.162.6.3, but i have made the change on the 130. I also implemented your suggested changes on the ASA. Nothing has come up as of yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:17 AM
Did you try to access the ASA LAN subnet from your DLINK LAN subnet? Try to ping from a host behind DLINK towards a host on ASA LAN and see if that brings up the tunnel?
Please also share the output of the following after trying to initiate the tunnel:
show cry isa sa
show cry ipsec sa peer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:19 AM
pinging hosts from behind the dlink box gives timeouts.
ciscoasa# show cry isa sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 142.166.74.148
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 142.177.65.249
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
ciscoasa# show cry ipsec sa peer 24.215.86.154
There are no ipsec sas for peer 24.215.86.154
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:23 AM
Does it work if you choose "Main Mode" instead of Agressive mode on DLINK?
Also, pls run debugs on ASA to further troubleshoot the issue:
debug cry ikev1
debug cry ipsec
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:29 AM
When I switched to main mode, it definately made more forward motion. Now the tunnel looks like it's up. Traffic still doesn't seem to be flowing as I expect as I cannot talk to anything on campus from behind the DLINK. Here's what I got now:
ciscoasa# show cry isa sa
IKEv1 SAs:
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: 142.166.74.148
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 142.177.65.249
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 24.215.86.154
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ciscoasa# show cry ipsec sa peer 24.215.86.154
peer address: 24.215.86.154
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 131.162.6.3
local ident (addr/mask/prot/port): (131.162.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer: 24.215.86.154
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 131.162.6.3/0, remote crypto endpt.: 24.215.86.154/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BB048730
current inbound spi : CC78ABFE
inbound esp sas:
spi: 0xCC78ABFE (3430460414)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 191459328, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3556
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00FFFFFF
outbound esp sas:
spi: 0xBB048730 (3137636144)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 191459328, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3554
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:36 AM
Excellent... traffic is getting as far as the ASA (decrypts counters increasing), however there is no return traffic.
From the host behind DLINK, can you ping 131.162.160.2?
The host that you are trying to ping earlier behind the ASA, does it have route back towards the ASA inside interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:44 AM
I cannot ping 131.162.160.2 from behind the DLINK. Times out.
Yes. From the host I was attempting to ping (my desktop, 131.162.137.86) I am able to ping the ASA inside interface, so I assume all routing is proper.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:47 AM
Well, not necessarily... ASA inside interface has different IP than host behind DLINK so routing might be different.
If you run traceroute from your desktop to a host behind DLINK, does it work? or ping from your desktop towards a host behind DLINK.
Also ensure that your desktop firewall is disabled or you have a rule to allow the ICMP as typically inbound ping from different subnet is blocked by desktop firewall if you have one enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2012 09:48 AM
What is the ip address behind dlink that you are pinging from?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide