- Cisco Community
- Technology and Support
- Security
- VPN
- debug crypto ipsec debug
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site to Site VPN - Both Cisco ASA 5505's
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2016 10:36 AM
Hello all, I am trying to set up a site to site vpn and am not having any luck at getting the connection established. I have configured both firewalls as below but seem to not understand what else I am missing to establish the vpn. I tried originally doing the EasyVPN to no avail, so i figured I should be doing site to site vpn anyway and want to go this route. Thank you very much in advance for your help.
Client Firewall:
ciscoasa(config)# sh run
: Saved
:
ASA Version 9.0(1)
!
hostname ciscoasa
enable password xZplLFirrUSkXN1l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.128.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 96.91.46.9 255.255.255.248
ospf cost 10
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 75.75.75.75
object network inside_subnet
subnet 192.168.128.0 255.255.255.0
object network nwdls
host 96.85.6.217
object network nwdls-subnet
subnet 192.168.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.128.0_24
subnet 192.168.128.0 255.255.255.0
object-group icmp-type ALLOW-ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object traceroute
access-list INBOUND extended permit icmp any any object-group ALLOW-ICMP
access-list inside_access_in extended permit ip 192.168.128.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.128.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 192.168.128.0 255.255.255.0 object nwdls-subnet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.128.0_24 NETWORK_OBJ_192.168.128.0_24 destination static nwdls-subnet nwdls-subnet no-proxy-arp route-lookup
!
object network inside_subnet
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 96.91.46.14 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 96.85.6.217
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75
dhcpd lease 86400
dhcpd auto_config outside
!
dhcpd address 192.168.128.100-192.168.128.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_96.85.6.217 internal
group-policy GroupPolicy_96.85.6.217 attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password sM/cvVSkWC3aa0kQ encrypted
tunnel-group 96.85.6.217 type ipsec-l2l
tunnel-group 96.85.6.217 general-attributes
default-group-policy GroupPolicy_96.85.6.217
tunnel-group 96.85.6.217 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2e5d298d79206fe8bc087bfb3d4f3721
: end
Main Firewall:
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
domain-name nwdls.com
enable password qpQ5myeZ6SQpH8vX encrypted
passwd HUeZALO3Fgqs0XMf encrypted
names
name 192.168.120.30 dvr
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 96.85.6.217 255.255.255.248
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.121.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.120.25
name-server 75.75.75.75
name-server 75.75.75.76
domain-name nwdls.com
object network obj-192.168.120.248
subnet 192.168.120.248 255.255.255.248
object network obj-192.168.120.245
host 192.168.120.245
object network obj-192.168.120.0
subnet 192.168.120.0 255.255.255.128
object network obj-192.168.120.233
host 192.168.120.233
object network obj-192.168.120.233-01
host 192.168.120.233
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.121.2
host 192.168.121.2
object network obj-192.168.121.2-01
host 192.168.121.2
object network obj-192.168.121.2-02
host 192.168.121.2
object network NETWORK_OBJ_192.168.120.248_29
subnet 192.168.120.248 255.255.255.248
object network nwdls-dc
host 192.168.120.25
description Windows Server 2008 RC2
object network DVR
host 192.168.120.30
object service IPCAMS
service tcp source eq 5550 destination eq 5550
object network newfirewall
host 192.168.120.108
object service ssh
service tcp source eq ssh destination eq ssh
description ssh
object network john
host 71.11.173.163
object network SVN-HTTP-INTERNET
host 192.168.120.25
description access to svn on nwdls-dc
object network JOSHUA9-PORT
host 192.168.120.209
object network JOSHUA2-PORT
host 192.168.120.202
object network DVR-PORT
object network DVR-PORT2
object network obj-pool
subnet 192.168.120.240 255.255.255.240
object network NVR
host 192.168.120.30
description NVR
object network NVR1
host 192.168.120.30
object network NVR2
host 192.168.120.30
object network NVR3
host 192.168.120.30
object network NVR4
host 192.168.120.30
object network NVR5
host 192.168.120.30
object network NVR6
host 192.168.120.30
description NVR6
object service Field
service tcp destination eq www
object service Field2
service tcp destination eq https
object network WebserverPublic
host 207.70.142.9
object network Webserver
host 207.70.142.9
object network WEb
host 192.168.120.25
object network NETWORK_OBJ_192.168.120.0_24
subnet 192.168.120.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.240_28
subnet 192.168.120.240 255.255.255.240
object network Remote-Site-Firewall
host 96.91.46.9
object network Remote-Site-Subnet
subnet 192.168.128.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service dvr-http tcp
port-object eq 10554
port-object eq 8000
object-group service dvr-remote tcp
port-object eq 5550
object-group service IPCAM tcp-udp
port-object eq 5550
object-group service svn-http tcp
description SVN Server access
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object svn-http
object-group service DM_INLINE_TCP_3 tcp
group-object svn-http
port-object eq www
port-object eq https
object-group service NVRPORTS tcp
description NVRPORTS
port-object eq 10554
port-object eq 8000
port-object eq rtsp
object-group service field tcp
port-object eq 10443
port-object eq 8180
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8080
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 8080
port-object eq 9150
access-list nwdls_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list wendy_acl standard permit 192.168.120.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.120.30
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq rtsp
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp-data
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq www
access-list outside_access_in extended permit udp any host 192.168.120.233 range 10001 19999
access-list outside_access_in remark Whitney
access-list outside_access_in extended permit udp host 99.16.64.231 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.225.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 4.79.212.236 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.203 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit 21 any host 192.168.121.2
access-list outside_access_in extended permit icmp any host 207.70.142.9
access-list outside_access_in extended permit icmp any host 207.70.142.10 inactive
access-list outside_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any host 192.168.120.30 object-group IPCAM
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host 192.168.120.25 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside eq 9150
access-list outside_access_in remark node access
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9150
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9418
access-list outside_access_in extended permit tcp any interface outside object-group dvr-http
access-list outside_access_in extended permit tcp any object DVR object-group dvr-http
access-list outside_access_in extended permit tcp any object-group NVRPORTS any object-group NVRPORTS
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10080
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq https
access-list outside_access_in extended permit tcp any host 192.168.120.25 eq https
access-list outside_access_in extended permit icmp any host 96.85.6.217
access-list inside_access_in extended permit ip 192.168.120.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.120.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list dmz_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_3
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Comcast-Outside_access_in extended permit ip any any
access-list EasyVPN_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 object Remote-Site-Subnet
pager lines 45
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap debugging
logging asdm debugging
logging mail critical
logging from-address ciscoasa@nwdls.com
logging host inside 192.168.120.203
logging class auth trap debugging asdm debugging
logging class session trap errors
logging class vpn trap debugging asdm debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
logging class webvpn trap debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool2 192.168.120.249-192.168.120.254 mask 255.255.255.0
ip local pool vpnpool3 192.168.120.241-192.168.120.248 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 access-list dmz_access_ipv6_in deny ip any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-pool obj-pool no-proxy-arp route-lookup
nat (inside,any) source static any any destination static obj-192.168.120.248 obj-192.168.120.248 no-proxy-arp
nat (inside,any) source static any any destination static obj-192.168.120.245 obj-192.168.120.245 no-proxy-arp
nat (outside,inside) source static any any destination static interface DVR service IPCAMS IPCAMS
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static NETWORK_OBJ_192.168.120.240_28 NETWORK_OBJ_192.168.120.240_28 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.120.0_24 NETWORK_OBJ_192.168.120.0_24 destination static Remote-Site-Subnet Remote-Site-Subnet no-proxy-arp route-lookup
!
object network obj-192.168.120.0
nat (inside,dmz) static 192.168.120.0
object network obj-192.168.120.233
nat (inside,outside) static 96.85.6.218
object network obj-192.168.120.233-01
nat (inside,outside) dynamic 96.85.6.218
object network obj-192.168.121.2
nat (dmz,outside) static interface service tcp www www
object network obj-192.168.121.2-01
nat (dmz,outside) static interface service tcp ssh ssh
object network obj-192.168.121.2-02
nat (dmz,outside) dynamic interface
object network nwdls-dc
nat (inside,outside) static interface service tcp https https
object network JOSHUA9-PORT
nat (inside,outside) static interface service tcp 9150 9150
object network JOSHUA2-PORT
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network NVR
nat (inside,outside) static interface service tcp 8000 8000
object network NVR1
nat (inside,outside) static interface service tcp 10554 10554
object network NVR2
nat (inside,outside) static interface service tcp rtsp rtsp
object network NVR3
nat (inside,outside) static interface service udp 8000 8000
object network NVR4
nat (inside,outside) static interface service udp 10554 10554
object network NVR5
nat (inside,outside) static interface service udp 554 554
object network NVR6
nat (inside,outside) static interface service tcp 10080 10080
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_ipv6_in in interface dmz
route outside 0.0.0.0 0.0.0.0 96.85.6.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 96.91.46.9
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 8080
crypto ikev2 enable outside client-services port 8080
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.120.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 192.168.120.25 208.67.222.222
dhcpd wins 192.168.120.25
dhcpd lease 86400
dhcpd domain nwdls.com
dhcpd auto_config inside
dhcpd update dns
dhcpd option 3 ip 192.168.120.1
dhcpd option 66 ip 192.168.120.233
!
dhcpd address 192.168.120.50-192.168.120.119 inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 66.187.233.4 source outside prefer
webvpn
port 8080
enable outside
dtls port 8080
anyconnect image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect profiles nwdls1 disk0:/nwdls1.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.120.25
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nwdls_splitTunnelAcl
group-policy EasyVPN internal
group-policy EasyVPN attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25 75.75.75.75
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value nwdls.com
group-policy GroupPolicy_96.91.46.9 internal
group-policy GroupPolicy_96.91.46.9 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_Nwdlsx64 internal
group-policy GroupPolicy_Nwdlsx64 attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
default-domain value nwdls.com
webvpn
anyconnect profiles value nwdls1 type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy nwdlsgroup internal
group-policy nwdlsgroup attributes
wins-server none
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
default-domain value nwdls.com
webvpn
url-list none
anyconnect ask enable default webvpn
group-policy nwdls internal
group-policy nwdls attributes
wins-server value 192.168.120.25
dns-server value 192.168.120.25
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage enable
ipsec-udp enable
default-domain value nwdls.com
username deena password 1jZizDREl2QRiv7H encrypted
username deena attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username eddiegarza password 7I1Ngja9D0T8aafo encrypted privilege 0
username eddiegarza attributes
vpn-group-policy nwdls
username Test password tEw.zBkWtr5cfsmI encrypted privilege 15
username derek password 3TzysbBXovQgzpHA encrypted
username derek attributes
vpn-group-policy nwdls
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username paul password xxwjxNzmravjcBbw encrypted
username jhallers password 0Ap4K1/ds.lPlpw. encrypted
username jhallers attributes
vpn-group-policy nwdls
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username wendy password jTFL2Tedjp4I/tQ3 encrypted
username wendy attributes
vpn-group-policy nwdls
username wendyr password TEZoQGfEFTIJNZ8S encrypted
username wendyr attributes
vpn-group-policy nwdls
username monica password Vl3AxqOzs1FaYFP1 encrypted
username monica attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username jill password IsB48p5obkwE/dw9 encrypted
username minh password tt1tzIpDuUh1ziFY encrypted
username minh attributes
vpn-group-policy nwdls
username admin password sM/cvVSkWC3aa0kQ encrypted privilege 15
username john password .Ay30EFU56VufM4C encrypted
username john attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username john2 password .Ay30EFU56VufM4C encrypted
username john2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage disable
username remotesite1 password 0quAjW6jr7HJmZTS encrypted privilege 0
username remotesite1 attributes
vpn-group-policy EasyVPN
username elyse password Uc/iSeHeTm.tdj.H encrypted
username elyse attributes
vpn-group-policy nwdls
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
username simply password Lf/AtECdBHaWjnY6 encrypted
username simply attributes
vpn-group-policy GroupPolicy_Nwdlsx64
memberof nwdls
username cisco password 3USUcOPFUiMCO4Jk encrypted
username simply2 password M7ISu.T1R2QrDasU encrypted
username simply2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
username chris password Rqfr3P71lABQaf28 encrypted
username chris attributes
vpn-group-policy nwdls
username james password QV2NsO8iYdz2iTxv encrypted
username matt password Mv7Iy4C7Z4wN9kXv encrypted
username matt attributes
vpn-group-policy nwdls
username root password Lm6zFIw1OvIlLNqp encrypted
username tiffany password awGF9ikvMqK72jXC encrypted
username willie password i9HtXKw/5SwL8PXt encrypted
username whitney password bWAWSJFGmo8Y59O4 encrypted
username whitney attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
username jeff password h/hFCXLkA1cAYXDV encrypted
username jeff attributes
vpn-group-policy nwdls
memberof nwdls
username whitney2 password bWAWSJFGmo8Y59O4 encrypted
username whitney2 attributes
vpn-group-policy GroupPolicy_Nwdlsx64
vpn-simultaneous-logins 100
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
password-storage enable
tunnel-group nwdlsvpn type remote-access
tunnel-group nwdlsvpn general-attributes
address-pool vpnpool2
default-group-policy nwdlsgroup
tunnel-group nwdls type remote-access
tunnel-group nwdls general-attributes
address-pool vpnpool3
default-group-policy nwdls
tunnel-group nwdls ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group nwdls ppp-attributes
authentication ms-chap-v2
tunnel-group Nwdlsx64 type remote-access
tunnel-group Nwdlsx64 general-attributes
address-pool vpnpool3
default-group-policy GroupPolicy_Nwdlsx64
tunnel-group Nwdlsx64 webvpn-attributes
group-alias Nwdlsx64 enable
tunnel-group nvpn type remote-access
tunnel-group nvpn general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group (outside) LOCAL
tunnel-group nvpn ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group nvpn ppp-attributes
authentication ms-chap-v2
tunnel-group EasyVPN type remote-access
tunnel-group EasyVPN general-attributes
address-pool vpnpool3
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 96.91.46.9 type ipsec-l2l
tunnel-group 96.91.46.9 general-attributes
default-group-policy GroupPolicy_96.91.46.9
tunnel-group 96.91.46.9 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:6aeee5c54eff2dc5a9df46045c6c679e
: end
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2016 01:27 PM
Can you post a debug from both sides?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2016 08:06 AM
Remote firewall:
ciscoasa# show ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 96.91.46.9
access-list outside_cryptomap extended permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
current_peer: 96.85.6.217
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.91.46.9/500, remote crypto endpt.: 96.85.6.217/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 4DE0A792
current inbound spi : 522E8F94
inbound esp sas:
spi: 0x522E8F94 (1378783124)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 241664, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916800/28637)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x4DE0A792 (1306568594)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 241664, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055040/28637)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Main firewall:
Result of the command: "show ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 96.85.6.217
access-list outside_cryptomap extended permit ip 192.168.120.0 255.255.255.0 192.168.128.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.120.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.128.0/255.255.255.0/0/0)
current_peer: 96.91.46.9
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 96.85.6.217/500, remote crypto endpt.: 96.91.46.9/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 522E8F94
current inbound spi : 4DE0A792
inbound esp sas:
spi: 0x4DE0A792 (1306568594)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 360448, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916800/28594)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x522E8F94 (1378783124)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 360448, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3962880/28594)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2016 09:18 AM
debug crypto ipsec
debug crypto ikev1
ter mon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide