Site to site VPN not tunneling traffic

vamos_fernholz · ‎12-06-2016

I have a network with two isps annd two firewalls. The config is as follows:

Firewall 1 (Netgear) providing internet access via Gateway 192.168.2.40
Firewall 2 (ASA 5512) providing Internet access and VPN services via Gateway 192.168.2.45

What I try to setup now is a site to site vpn with a TP-Link RV600 which will eventually be outside my network. It will serve 192.168.0.0/24. For now, it is configured to access the outside via Firewall 1 (192.168.2.40). This works, it can access the internet and can be accessed via 192.168.0.1

I managed to do set up a tunnel between the RV600 and the ASA. It connects fine, I see it in ADSM under Montiring -> VPN -> VPN Statistics -> Sessions (Filter by IPSec Site-to-site). The tunnel is established over the internet - I see the external IP of Firewall 1 there.

If I connect Clients to the RV600 the can access the Internet and are pingable from everywhere. But the clients aren't using the tunnel - if i check their external IP, its the one of firewall 1. They can't ping some machines on the network which are using firewall 2 as gateway. The ASA says the tunnel is established, both RX/TX numbers grow.

Here is the sanitized config, A.A.A.A being ISP 1, B.B.B.B being ISP 2 (ASA). Any suggestions?

ASA Version 9.6(2)
!
hostname ciscoasa
domain-name xx-xx.de
enable password <removed> encrypted
names
ip local pool vpn_ips 192.168.2.86-192.168.2.99 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif htp
security-level 0
ip address BB.BB.BBB.BBB 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.45 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa962-smp-k8.bin
boot system disk0:/asa961-3-smp-k8.bin
boot system disk0:/asa952-6-smp-k8.bin
boot system disk0:/asa951-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup htp
dns domain-lookup inside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name xx-xx.de
dns server-group intern_DNS
name-server 192.168.2.1 inside
name-server 192.168.2.2 inside
domain-name xx-xx.de
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network SERVER-I
host 192.168.2.1
object network SERVER-II
host 192.168.2.2
object network SERVER-III
host 192.168.2.3
object network SERVER-IV
host 192.168.2.4
object network SERVER-V
host 192.168.2.5
object network SERVER-VI
host 192.168.2.6
object network SERVER-VII
host 192.168.2.7
object network SERVER-VIII
host 192.168.2.8
object network SERVER-IX
host 192.168.2.9
object network SERVER-X
host 192.168.2.10
object network EMC_IPs
range 192.168.2.60 192.168.2.69
object network SERVER_IPs
range 192.168.2.1 192.168.2.29
object service vnc_backup
service tcp source eq 5920 destination eq 5900
object service vnc_save_i
service tcp source eq 5917 destination eq 5900
object service vnc_save_ii
service tcp source eq 5918 destination eq 5900
object service vnc_save_iii
service tcp source eq 5919 destination eq 5900
object service vnc_server_I
service tcp source eq 5901 destination eq 5900
object service vnc_server_II
service tcp source eq 5902 destination eq 5900
object service vnc_server_iii
service tcp source eq 5903 destination eq 5900
object service vnc_server_iv
service tcp source eq 5904 destination eq 5900
object service vnc_server_ix
service tcp source eq 5909 destination eq 5900
object service vnc_server_v
service tcp source eq 5905 destination eq 5900
object service vnc_server_vi
service tcp source eq 5906 destination eq 5900
object service vnc_server_vii
service tcp source eq 5907 destination eq 5900
object service vnc_server_viii
service tcp source eq 5908 destination eq 5900
object service vnc_server_x
service tcp source eq 5910 destination eq 5900
object network BACKUP
host 192.168.2.20
object network SAVE-I
host 192.168.2.17
object network SAVE-II
host 192.168.2.18
object network SAVE-III
host 192.168.2.19
object network xxx_rdp
host 192.168.2.181
object network xxx_rdp
host 192.168.2.182
object network xxx_rdp
host 192.168.2.183
object service ftp
service tcp source eq ftp destination eq ftp
object service ftp_pasv_server-ix
service tcp source eq 30029 destination eq 30000
object service http_cumulus
service tcp source eq 8080 destination eq 8080
object service http_wiki
service tcp source eq 6666 destination eq www
object service https
service tcp source eq https destination eq https
object service rdp_xxx
service tcp source eq 5082 destination eq 5082
object service rdp_xxx
service tcp source eq 5080 destination eq 5080
object service rdp_xxx
service tcp source eq 5081 destination eq 5081
object service rpc_exchange
service tcp source range 6001 6004 destination range 6001 6004
object service vnc_s3
service tcp source eq 5903 destination eq 5900
object network obj_inside
subnet 192.168.2.0 255.255.255.0
object network outside-network
subnet BB.BB.BB.BB 255.255.255.248
object network WIKI_http
host 192.168.2.27
object network WIKI_http_WOL
host 192.168.2.27
object network wiki_webserver
host 192.168.2.27
object network Exchange_RPC_6001
host 192.168.2.3
object network Exchange_RPC_6002
host 192.168.2.3
object network Exchange_RPC_6003
host 192.168.2.3
object network Exchange_RPC_6004
host 192.168.2.3
object network Exchange_https
host 192.168.2.3
object network xxx_http
host 192.168.2.8
object network FTP
host 192.168.2.27
object network htp_IPS_extern
range xx.xx.x.x xx.xxx.xxx.xxx
object network Jabber_1
host 192.168.2.8
object network Jabber_2
host 192.168.2.8
object network vpn_ips
range 192.168.2.86 192.168.2.99
object network 192.168.0.0
range 192.168.0.0 192.168.0.255
object network NETWORK_OBJ_192.168.2.64_26
subnet 192.168.2.64 255.255.255.192
object network cisco
host 192.168.2.45
object network vpn-ips
range 192.168.2.86 192.168.2.99
object network VPN-PAT
object network test_vpn_ips
range 192.168.2.86 192.168.2.99
object network VPN-PAT-NAT
range 192.168.2.86 192.168.2.99
object network telekom
host
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network 192.168.2.0
range 192.168.2.0 192.168.2.255
object network 192.168.0.155
host 192.168.0.155
description test_brazil
object network 192.168.0.156
host 192.168.0.156
description test_fon
object network 192.168.2.223
host 192.168.2.223
description test_fon_intern
object network pbx
host 192.168.2.201
description PBX
object-group icmp-type DefaultICMP
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network network_server
description Server im IP-Bereich 192.168.2.1 - 192.168.2.29
network-object object SERVER-I
network-object object SERVER-II
network-object object SERVER-III
network-object object SERVER-IV
network-object object SERVER-V
network-object object SERVER-VI
network-object object SERVER-VII
network-object object SERVER-VIII
network-object object SERVER-IX
network-object object SERVER-X
network-object object SERVER_IPs
network-object object BACKUP
network-object object SAVE-I
network-object object SAVE-II
network-object object SAVE-III
object-group network network_EMC
description EMC / vmWare
network-object object EMC_IPs
object-group network rdp_server
description Rechner fÃ¼r Zugang Ã¼ber RDP
network-object object xxxxxx_rdp
network-object object xxxxxx_rdp
network-object object xxxxxx_rdp
object-group service rdp tcp
object-group service vnc tcp
port-object range 5900 5910
object-group network DM_INLINE_NETWORK_1
network-object object Jabber_1
network-object object Jabber_2
object-group service jabber tcp
port-object range 5222 5223
object-group network DM_INLINE_NETWORK_2
network-object object Jabber_1
network-object object Jabber_2
access-list global_access extended permit ip object inside-net any
access-list ACL_INSIDE_TO_OUTSIDE extended permit ip object 192.168.0.0 any
access-list ACL_INSIDE_TO_OUTSIDE extended permit ip object 192.168.0.155 any
access-list ACL_INSIDE_TO_OUTSIDE extended permit ip object 192.168.0.156 any
access-list ACL_INSIDE_TO_OUTSIDE extended permit ip object-group network_server any
access-list ACL_INSIDE_TO_OUTSIDE extended permit object http_wiki interface htp object WIKI_http
access-list htp_access_in extended permit tcp any object WIKI_http_WOL eq www
access-list htp_access_in extended permit tcp any object Exchange_https eq https
access-list htp_access_in extended permit tcp any object xxxxxx_rdp eq 5082
access-list htp_access_in extended permit tcp any object xxxxxx_rdp eq 5080
access-list htp_access_in extended permit tcp any object xxxxxx_rdp eq 5081
access-list htp_access_in extended permit tcp any object Exchange_RPC_6001 eq 6001
access-list htp_access_in extended permit tcp any object Exchange_RPC_6002 eq 6002
access-list htp_access_in extended permit tcp any object Exchange_RPC_6004 eq 6004
access-list htp_access_in extended permit tcp any object Exchange_RPC_6003 eq 6003
access-list htp_access_in extended permit tcp any object FTP eq ftp
access-list htp_access_in extended permit tcp any object WIKI_http eq www
access-list htp_access_in extended permit ip object 192.168.0.0 any
access-list htp_access_in extended permit ip object 192.168.0.0 interface htp
access-list htp_access_in extended permit ip object 192.168.0.155 any
access-list htp_access_in extended permit ip object 192.168.0.156 any
access-list htp_access_in extended permit tcp object htp_IPS_extern object-group DM_INLINE_NETWORK_1 object-group jabber
access-list htp_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 object-group jabber inactive
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-I eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-II eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-III eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-IV eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-V eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-VI eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-VII eq 5900
access-list htp_access_in extended permit tcp any object xxxxxx_http eq 8080
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-VIII eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SERVER-X eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SAVE-I eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SAVE-II eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object SAVE-III eq 5900
access-list htp_access_in extended permit tcp object htp_IPS_extern object BACKUP eq 5900
access-list htp_access_in remark FTP PASV
access-list htp_access_in extended permit tcp any object FTP range 30000 30029
access-list htp_access_in extended permit ip user LOCAL\xxxx object vpn-ips any
access-list htp_access_in extended permit ip user LOCAL\xxxx any any
access-list htp_access_in extended permit ip object vpn-ips interface htp
access-list OUTSIDE-IN-ACL extended permit ip host 10.45.88.186 any inactive
access-list htp_cryptomap extended permit ip object 192.168.2.0 object 192.168.0.0
access-list htp_cryptomap extended permit ip object 192.168.0.0 interface inside
access-list htp_cryptomap extended permit ip object 192.168.0.0 interface htp
access-list htp_cryptomap extended permit ip object 192.168.0.0 object 192.168.2.0
access-list htp_cryptomap extended permit ip object 192.168.0.155 object 192.168.2.0
access-list htp_cryptomap extended permit ip object 192.168.0.155 any4
access-list htp_cryptomap extended permit ip any 192.168.2.0 255.255.255.0
access-list htp_cryptomap extended permit ip any object 192.168.0.0
access-list htp_cryptomap extended permit ip 192.168.2.0 255.255.255.0 any
access-list htp_cryptomap extended permit ip object 192.168.0.0 any
access-list htp_cryptomap extended permit ip 192.168.2.0 255.255.255.0 BB.BB.BB.BB 255.255.255.248
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host xxx.x.x.xxx eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host xxx.x.x.xxx eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list vpn_splittunnel extended permit ip 192.168.2.0 255.255.255.0 any
access-list local_lan_access standard permit host 0.0.0.0
access-list local_lan_access standard permit host 192.168.0.100
access-list local_lan_access standard permit 192.168.2.0 255.255.255.0
access-list vpnfilt-ra extended permit ip host xx.xx.xxx.xxx 192.168.2.0 255.255.255.0
access-list vpnfilt-ra extended permit ip object vpn_ips any
access-list vpnfilt-ra extended permit ip 192.168.2.0 255.255.255.0 BB.BB.BB.BB 255.255.255.248
access-list vpnfilt-ra extended permit tcp object vpn-ips interface htp eq www
access-list vpnfilt-ra extended permit ip interface htp object vpn-ips
access-list vpnfilt-ra extended permit ip object vpn-ips object inside-net
access-list xx_vpn extended permit ip any4 192.168.2.0 255.255.255.0
access-list Split_Tunnel_List extended permit ip 192.168.2.0 255.255.255.0 any
access-list Split_Tunnel_List extended permit ip any 192.168.2.0 255.255.255.0
access-list Split_Tunnel_List extended permit ip 192.168.2.0 255.255.255.0 object outside-network
access-list Split_Tunnel_List extended permit ip object outside-network 192.168.2.0 255.255.255.0
access-list Split_Tunnel_List extended permit ip object vpn-ips any
access-list Split_Tunnel_List extended permit ip any any
access-list htp_tunnel extended permit ip object telekom any
access-list web_acl webtype permit url any log default
pager lines 24
logging enable
logging buffer-size 99999
logging asdm informational
logging from-address asa@xx-xx.de
logging recipient-address xxxxxx@xx-xx.de level critical
logging class vpn asdm debugging
logging class ssl buffered debugging
mtu htp 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (htp,inside) source static any any destination static SERVER-I SERVER-I service vnc_server_I vnc_server_I
nat (htp,inside) source static any any destination static SERVER-II SERVER-II service vnc_server_II vnc_server_II
nat (htp,inside) source static any any destination static SERVER-III SERVER-III service vnc_server_iii vnc_server_iii
nat (htp,inside) source static any any destination static SERVER-IV SERVER-IV service vnc_server_iv vnc_server_iv
nat (htp,inside) source static any any destination static SERVER-V SERVER-V service vnc_server_v vnc_server_v
nat (htp,inside) source static any any destination static SERVER-VI SERVER-VI service vnc_server_vi vnc_server_vi
nat (htp,inside) source static any any destination static SERVER-VII SERVER-VII service vnc_server_vii vnc_server_vii
nat (htp,inside) source static any any destination static SERVER-VIII SERVER-VIII service vnc_server_viii vnc_server_viii
nat (htp,inside) source static any any destination static SERVER-IX SERVER-IX service vnc_server_ix vnc_server_ix
nat (htp,inside) source static any any destination static SERVER-X SERVER-X service vnc_server_x vnc_server_x
nat (htp,htp) source static any any destination static SAVE-I SAVE-I service vnc_save_i vnc_save_i
nat (htp,inside) source static any any destination static SAVE-II SAVE-II service vnc_save_ii vnc_save_ii
nat (htp,inside) source static any any destination static SAVE-III SAVE-III service vnc_save_iii vnc_save_iii
nat (htp,inside) source static any any destination static BACKUP BACKUP service vnc_backup vnc_backup
nat (htp,inside) source static any any destination static xxx_rdp SUPERMAN_rdp service rdp_superman rdp_superman
nat (htp,inside) source static any any destination static xxx_rdp VERTIGO_rdp service rdp_vertigo rdp_vertigo
nat (htp,inside) source static any any destination static xxx_rdp ZOOLANDER_rdp service rdp_zoolander rdp_zoolander
nat (htp,inside) source static any any destination static SERVER-III SERVER-III service rpc_exchange rpc_exchange
nat (htp,inside) source static any any destination static SERVER-III SERVER-III service https https
nat (htp,inside) source static any any destination static SERVER-VIII SERVER-VIII service http_wiki http_wiki
nat (htp,inside) source static any any destination static SERVER-IX SERVER-IX service http_cumulus http_cumulus
nat (htp,inside) source static any any destination static SERVER-IX SERVER-IX service ftp_pasv_server-ix ftp_pasv_server-ix
nat (htp,inside) source static any any destination static FTP FTP service ftp ftp
nat (htp,htp) source static inside-net SERVER-III destination static interface SERVER-III service vnc_server_iii vnc_server_iii
nat (inside,htp) source static any any destination static SERVER-III SERVER-III service vnc_server_iii vnc_server_iii
nat (htp,htp) source dynamic any interface destination static obj_inside SERVER-III service vnc_s3 vnc_s3
nat (htp,inside) source static 192.168.0.155 192.168.0.155 no-proxy-arp
nat (htp,inside) source static 192.168.0.156 192.168.0.156 destination static 192.168.0.156 192.168.2.223 no-proxy-arp
nat (any,htp) source dynamic inside-net interface destination static outside-network outside-network
nat (any,htp) source dynamic outside-network interface destination static inside-net inside-net
nat (inside,htp) source static any any destination static NETWORK_OBJ_192.168.2.64_26 NETWORK_OBJ_192.168.2.64_26 no-proxy-arp route-lookup
nat (inside,htp) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup
nat (inside,htp) source static 192.168.0.0 192.168.0.0 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup
nat (inside,htp) source static 192.168.2.0 192.168.2.0 destination static 192.168.0.0 192.168.0.0 no-proxy-arp route-lookup
!
object network inside-net
nat (inside,htp) dynamic interface
object network SERVER-I
nat (any,htp) static interface service tcp 5900 5901
object network SERVER-II
nat (any,htp) static interface service tcp 5900 5902
object network SERVER-III
nat (any,htp) static interface service tcp 5900 5903
object network SERVER-IV
nat (any,htp) static interface service tcp 5900 5904
object network SERVER-V
nat (any,htp) static interface service tcp 5900 5905
object network SERVER-VI
nat (any,htp) static interface service tcp 5900 5906
object network SERVER-VII
nat (any,htp) static interface service tcp 5900 5907
object network SERVER-VIII
nat (any,htp) static interface service tcp 5900 5908
object network SERVER-IX
nat (any,htp) static interface service tcp 5900 5909
object network SERVER-X
nat (any,htp) static interface service tcp 5900 5910
object network BACKUP
nat (any,htp) static interface service tcp 5900 5920
object network SAVE-I
nat (any,htp) static interface service tcp 5900 5917
object network SAVE-II
nat (any,htp) static interface service tcp 5900 5918
object network SAVE-III
nat (any,htp) static interface service tcp 5900 5919
object network xxx_rdp
nat (any,htp) static interface service tcp 5082 5082
object network xxx_rdp
nat (any,htp) static interface service tcp 5080 5080
object network xxx_rdp
nat (any,htp) static interface service tcp 5081 5081
object network obj_inside
nat (inside,htp) dynamic interface
object network WIKI_http
nat (any,htp) static interface service tcp www 6666
object network WIKI_http_WOL
nat (any,htp) static interface service tcp www 7777
object network Exchange_RPC_6001
nat (any,htp) static interface service tcp 6001 6001
object network Exchange_RPC_6002
nat (any,htp) static interface service tcp 6002 6002
object network Exchange_RPC_6003
nat (any,htp) static interface service tcp 6003 6003
object network Exchange_RPC_6004
nat (any,htp) static interface service tcp 6004 6004
object network Exchange_https
nat (any,htp) static interface service tcp https https
object network xxx_http
nat (any,htp) static interface service tcp 8080 8080
object network FTP
nat (any,htp) static interface service tcp ftp ftp
object network Jabber_1
nat (any,htp) static interface service tcp 5222 5222
object network Jabber_2
nat (any,htp) static interface service tcp 5223 5223
object network vpn-ips
nat (htp,htp) dynamic interface
object network VPN-PAT-NAT
nat (inside,htp) dynamic interface
object network 192.168.0.155
nat (any,any) static 192.168.2.0 net-to-net
object network 192.168.0.156
nat (htp,inside) static 192.168.2.223 net-to-net dns
access-group htp_access_in in interface htp
access-group ACL_INSIDE_TO_OUTSIDE in interface inside
access-group global_access global
route htp 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
aaa-server test protocol radius
aaa-server test (htp) host 192.168.2.45
timeout 5
key *****
aaa-server test_authserver protocol radius
aaa-server test_authserver (htp) host 192.168.2.45
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 htp
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set test esp-null esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto map htp_map 1 match address htp_cryptomap
crypto map htp_map 1 set peer AA.AA.AA.AA 192.168.2.81 192.168.2.75
crypto map htp_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map htp_map 1 set ikev2 pre-shared-key *****
crypto map htp_map interface htp
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn none
subject-name CN=ciscoasa.xx-xx.de
crl configure
crypto ca trustpool policy
crypto ca server
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
3082021d 30820186 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
f0101ff 04040302 0186301f 0603551d 23041830 16801422 b84f5d67
d1fc3bfa 635905c8 6386dc65 88da5130 1d060355 1d0e0416 041422b8 4f5d67d1
fc3bfa63 5905c863 86dc6588 da51300d 06092a86 4886f70d 01010505 00038181
0019d6ad a3222ca6 614d010f 76c1c1ee 6111f4b1 bce89a25 9ab8e83c 1ed249bc
e71c8883 b5cfda96 53f534e7 8018ffee aedce266 382e5005 88ecc59c f2ec33bd
6a36cb8a 0c54625c ecfeb07c f44ea57a dac17068 9d284e5c f0ecb7d5 b8e45dd3
4cca0027 9ade8616 c59913fa 76602db1 5d1e93f2 e509f2d2 a5e038c5 1ed3ee32
53
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate f369ff57
308201bb 30820124 a0030201 020204f3 69ff5730 0d06092a 864886f7 0d01010b
05003022 3120301e 06035504 03131763 6973636f 6173612e 76616d6f 732d6275
65726f2e 6465301e 170d3136 31303134 31313432 32315a17 0d323631 30313231
43455fcb 420a1c01 b6429616 3819242d cbf42692 d0309726 32d1a901 276396c7
04515cfc 5b4dfd03 54ce3ac0 2d386ee9 248e1362 795be483 eee64605 2ad4aa81
31b1cfaa c90ec031 4ac8d8f2 f9112005 6ea73a67 62bc61f4 a213bffc e88a4d17
e2396ebe 12e1df3a 1c17971d e5354c73 038fb7cf cf563d9a 32987d09 594e46
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable htp
crypto ikev2 enable inside client-services port 443
crypto ikev1 enable htp
crypto ikev1 enable inside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpdn username xxxx password ***** store-local
no vpn-addr-assign dhcp
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd auto_config htp
dhcpd update dns both override
!
dhcpd update dns both interface htp
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 htp
ssl trust-point ASDM_TrustPoint0 inside
webvpn
port 444
enable htp
enable inside
dtls port 444
hostscan image disk0:/hostscan_4.3.03086-k9.pkg
hostscan enable
anyconnect image disk0:/anyconnect-win-4.3.03086-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.3.02039-k9.pkg 2
anyconnect profiles xx_anyconnect_client_profile disk0:/xx_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
tunnel-group-preference group-url
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 81.14.243.9 81.14.244.9
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy excludespecified
address-pools value vpn_ips
webvpn
anyconnect firewall-rule client-interface public value global_access
anyconnect firewall-rule client-interface private value global_access
group-policy GroupPolicy_xx_anyconnect internal
group-policy GroupPolicy_xx_anyconnect attributes
wins-server value 192.168.2.1
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-simultaneous-logins 10
vpn-session-timeout none
vpn-filter value vpnfilt-ra
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-lock value xxs_anyconnect
split-tunnel-policy tunnelall
default-domain value xx-xx.de
split-dns value 192.168.2.1
split-tunnel-all-dns enable
vlan none
webvpn
anyconnect modules value vpngina,posture
anyconnect profiles value xx_anyconnect_client_profile type user
hidden-shares none
file-entry enable
file-browsing enable
group-policy GroupPolicy_AA.AA.AA.AA internal
group-policy GroupPolicy_AA.AA.AA.AA attributes
vpn-filter value htp_cryptomap
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
network-acl vpnfilt-ra
webvpn
appl-acl web_acl
dynamic-access-policy-record check_antivir_os
description "GData Security mindestens v14, OS mindestens Windows 7"
network-acl vpnfilt-ra
username xxx password <removed>
username xxx attributes
vpn-group-policy GroupPolicy_xx_anyconnect
username testuser password <removed>
username xxx password <removed> privilege 15
username xxx attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-lock value xx_anyconnect
username xxxx password <removed> privilege 15
username xxxx password <removed> privilege 15
username xxx password <removed>
username xxx password <removed>
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_ips
tunnel-group xx_anyconnect type remote-access
tunnel-group xx_anyconnect general-attributes
address-pool vpn_ips
default-group-policy GroupPolicy_xx_anyconnect
tunnel-group xx_anyconnect webvpn-attributes
authentication certificate
group-alias xx_anyconnect enable
tunnel-group AA.AA.AA.AA type ipsec-l2l
tunnel-group AA.AA.AA.AA general-attributes
default-group-policy GroupPolicy_AA.AA.AA.AA
tunnel-group AA.AA.AA.AA ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group-map DefaultCertificateMap 10 DefaultWEBVPNGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.2.3
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum
: end