cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
840
Views
0
Helpful
5
Replies

Site to Site VPN on ASA

dmking43
Level 1
Level 1

Hello, I am having trouble getting a tunnel up and running form an ASA to a watchguard. I need to get this back on line as soon as possible for our corp[orate office. It was working, but we had an outage and in my troubleshooting efforts I beleive I may have change something. I can't figure it out. I see the tunnel connect, I see the SAs but it seems to be dropping all the traffic. 

 

LAFFW01# sh cry isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 2.1.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

All the Crypto maps look OK. I did a detailed packet trace,vsee final results below. Can anyone assist me? I can upload the config, any help would be greatly apprecauted. I no longer haev smartnet on this ASA. 

 

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Pelase let meknow, Thanke for your help

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

There is a good guide for reference :

 

http://veducate.co.uk/creating-vpn-tunnel-between-cisco-asa-and-watchguard-xtm/

 

If you already went through the link, like to see your configuration ASA side  and information both the side to verify

also, tell us what is ASA firmware version?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

There is a good guide for reference :

 

http://veducate.co.uk/creating-vpn-tunnel-between-cisco-asa-and-watchguard-xtm/

 

If you already went through the link, like to see your configuration ASA side  and information both the side to verify

also, tell us what is ASA firmware version?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

You only show the IKE SA and the final result of packet-tracer. That only leaves room for guessing what can be wrong ...

 

Do you also have IPsec SAs? You see them with "show vpn-sesssiondb detail l2l filter ipaddress IP-OF-PEER"

If they are there (let also the other side initiate some traffic) look at the counters, Do you see packets received and/or transmitted?

Based on the packet-tracer result it could be the inside ACL that is dropping your traffic. The detailed view of packet-tracer will tell you that.

Hello, thanks for the reply, sorry here is the config, I am looking over your suggestions, please let me know your thoughts



ASA Version 8.2(1)

!

hostname LAFFW01

enable password V6LxNa0VkxFU5NPD encrypted

passwd V6LxNa0VkxFU5NPD encrypted

names

name 200.11.10.0 Houston_Legacy

name 10.1.0.0 Houston_Network

name 200.10.10.0 Lafayette_Legacy

name 10.0.0.0 Lafayette_Network

name 200.12.10.0 NewOrleans_Legacy

name 10.2.0.0 NewOrleans_Network

name 10.0.10.95 intranet

name 10.0.10.10 prdc01

name 76.72.95.72 legacy.preisroy.com

name 76.72.95.73 intranet.preisroy.com

name 76.72.95.68 notify.preisroy.com

name 10.0.10.109 PRADMIN01

name 76.72.95.78 autosig.preisplc.com

name 10.0.10.11 prdc04

name 10.0.10.0 Lafayette_Servers

name 192.168.210.0 Uptime_Servers

name 192.168.219.0 Lafayette_ShoreTel

name 192.168.222.0 Uptime_Intranet

name 10.0.100.141 IOLAN-LAF

name 192.168.211.0 Lafayette_Workstations

name 192.168.212.0 Lafayette_Printers

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 4.31.170.195 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.1.3 255.255.255.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

nameif TW

security-level 0

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

clock timezone GMT 0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Houston

network-object Houston_Network 255.255.0.0

network-object Houston_Legacy 255.255.255.0

object-group network Lafayette

network-object Lafayette_Network 255.255.0.0

network-object Lafayette_Legacy 255.255.255.0

object-group network NewOrleans

network-object NewOrleans_Network 255.255.0.0

network-object NewOrleans_Legacy 255.255.255.0

object-group service Web_Services tcp

port-object eq www

port-object eq https

object-group network Lafayette_Vlans

network-object Lafayette_Servers 255.255.255.0

network-object Lafayette_Legacy 255.255.255.0

object-group network Uptime_Vlans

network-object Uptime_Servers 255.255.255.0

network-object Lafayette_Workstations 255.255.255.0

network-object Lafayette_Printers 255.255.255.0

network-object Lafayette_ShoreTel 255.255.255.0

network-object Uptime_Intranet 255.255.255.0

object-group network Uptime_Server_IPs

network-object host 10.99.10.27

network-object host 10.99.10.28

network-object host 10.99.10.29

network-object host 10.99.11.29

network-object host 10.99.11.30

network-object host 10.99.11.28

network-object host 10.99.10.30

network-object host 10.99.11.27

network-object host 10.99.11.56

network-object host 10.99.11.35

object-group network Lafayette_Workstations

network-object Lafayette_Workstations 255.255.255.0

object-group network Lafayette_Servers

network-object Lafayette_Servers 255.255.255.0

object-group network Uptime_Servers

network-object Uptime_Servers 255.255.255.0

object-group network Lafayette_Printers

network-object Lafayette_Printers 255.255.255.0

object-group network Lafayette_ShoreTel

network-object Lafayette_ShoreTel 255.255.255.0

object-group network Uptime_Intranet

network-object Uptime_Intranet 255.255.255.0

object-group network Lafayette_Legacy

network-object Lafayette_Legacy 255.255.255.0

access-list outside_access_in extended permit tcp any host 76.72.95.77 eq telnet

access-list inside_nat0_outbound extended permit ip object-group Lafayette object-group Houston

access-list inside_nat0_outbound extended permit ip object-group Lafayette object-group NewOrleans

access-list inside_nat0_outbound extended permit ip Lafayette_Network 255.255.0.0 172.23.16.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip Houston_Network 255.255.0.0 172.23.16.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip NewOrleans_Network 255.255.0.0 172.23.16.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 172.20.16.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip object-group Lafayette_ShoreTel object-group Uptime_Server_IPs

access-list inside_nat0_outbound extended permit ip object-group Lafayette_Workstations object-group Uptime_Server_IPs

access-list inside_nat0_outbound extended permit ip object-group Lafayette_Printers object-group Uptime_Server_IPs

access-list outside_in extended permit tcp any host 76.72.32.88 eq 8006

access-list outside_in extended permit tcp any any eq h323

access-list Redistribution extended deny ip host 10.0.10.44 any

access-list 10 standard deny host 10.1.10.30

access-list 10 standard deny host 10.2.10.30

access-list 10 standard permit any

access-list FILTER-EIGRP-ROUTES standard permit Lafayette_Network 255.255.0.0

access-list FILTER-EIGRP-ROUTES standard permit 200.10.0.0 255.255.0.0

access-list tw_in extended permit tcp any any eq ssh

access-list tw_in extended permit tcp any host 173.226.159.66 eq https

access-list tw_in extended permit tcp any host 173.226.159.66 eq www

access-list Outside-CP extended deny ospf any any

access-list Outside-CP extended permit ip any any

access-list outside_3_cryptomap extended permit ip object-group Uptime_Vlans object-group Uptime_Server_IPs

access-list UPTNAT_1 extended permit ip Lafayette_Servers 255.255.255.0 object-group Uptime_Server_IPs

access-list UPTNAT_4 extended permit ip Lafayette_Legacy 255.255.255.0 object-group Uptime_Server_IPs

pager lines 24

logging enable

logging buffered informational

logging trap debugging

logging asdm informational

logging host inside 10.0.10.104

logging class vpn trap debugging

mtu outside 1500

mtu inside 1500

mtu TW 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (TW) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) intranet.preisroy.com intranet netmask 255.255.255.255 dns

static (inside,outside) Uptime_Servers access-list UPTNAT_1

static (inside,outside) Uptime_Intranet access-list UPTNAT_4

access-group Outside-CP in interface outside control-plane

access-group outside_access_in in interface outside

access-group tw_in in interface TW

!

route-map Redistribution permit 10

match ip address 10

!

!

router ospf 1

router-id 10.0.1.2

network Lafayette_Network 255.255.0.0 area 0

distance ospf external 175

log-adj-changes

redistribute static route-map Redistribution

!

route outside 0.0.0.0 0.0.0.0 4.1.1.1 1

route outside Uptime_Servers 255.255.255.0 2.1.2.2 1

route outside Uptime_Intranet 255.255.255.0 2.1.2.2 1

route inside 200.10.0.0 255.255.0.0 10.0.1.254 200

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

snmp-server host inside 10.0.10.105 community prlaw51

snmp-server host inside prdc01 community rocADVmon42 udp-port 161

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set transform-set ESP-AES-256-SHA

crypto map outside_map 3 set security-association lifetime seconds 3600

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map outside_map interface TW

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable TW

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp am-disable

!

track 1 rtr 1 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh Lafayette_Network 255.0.0.0 inside

ssh 200.0.0.0 255.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh Lafayette_Workstations 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 TW

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.0.1.1 source inside

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 null-sha1 rc4-md5 rc4-sha1

webvpn

enable outside

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username admin password aT7yU7puyOEC3bQS encrypted privilege 15

username uptl password puR0JqBGoW4oFrz3 encrypted privilege 15

username dmking43 password HMpw8W0O7vHMDkGN encrypted privilege 15

username mstadmin password DwXQiqKNRYktF6Bz encrypted privilege 15

tunnel-group SSLVPN type remote-access

tunnel-group 216.17.28.242 type ipsec-l2l

tunnel-group 216.17.28.242 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 4096

policy-map global_policy

class inspection_default

inspect dns

inspect icmp

inspect h323 h225

inspect h323 ras

inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b3ad0e5780c9dc78e8ab365136300b38

: end


Here is the full packet trace

LAFFW01# sh history
en
sh run
sh history
LAFFW01# packet-tracer input inside icmp 192.168.212.254 8 0 10.99.10.27 detai$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a1c798, priority=0, domain=permit-ip-option, deny=true
hits=31366, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8444ea0, priority=70, domain=inspect-icmp, deny=false
hits=4, user_data=0xd8444800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a1be38, priority=66, domain=inspect-icmp-error, deny=false
hits=5, user_data=0xd7a1bd30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd80e6520, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=396, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside Lafayette_Printers 255.255.255.0 outside host 10.99.10.27
NAT exempt
translate_hits = 11, untranslate_hits = 4727
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a96fb0, priority=6, domain=nat-exempt, deny=false
hits=10, user_data=0xd7a96ef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=Lafayette_Printers, mask=255.255.255.0, port=0
dst ip=10.99.10.27, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (4.31.170.195 [Interface PAT])
translate_hits = 40, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7ab6a90, priority=1, domain=nat, deny=false
hits=389, user_data=0xd7ab69d0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (4.31.170.195 [Interface PAT])
translate_hits = 40, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7ab6de8, priority=1, domain=host, deny=false
hits=62646, user_data=0xd7ab69d0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd80c0be0, priority=70, domain=encrypt, deny=false
hits=9954, user_data=0x0, cs_id=0xd80badb0, reverse, flags=0x0, protocol=0
src ip=Lafayette_Printers, mask=255.255.255.0, port=0
dst ip=10.99.10.27, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Hello, thanks for the reply, sorry here is the config, I am looking over your suggestions, please let me know your thoughts

ASA Version 8.2(1)
!
hostname LAFFW01
enable password V6LxNa0VkxFU5NPD encrypted
passwd V6LxNa0VkxFU5NPD encrypted
names
name 200.11.10.0 Houston_Legacy
name 10.1.0.0 Houston_Network
name 200.10.10.0 Lafayette_Legacy
name 10.0.0.0 Lafayette_Network
name 200.12.10.0 NewOrleans_Legacy
name 10.2.0.0 NewOrleans_Network
name 10.0.10.95 intranet
name 10.0.10.10 prdc01
name 76.72.95.72 legacy.preisroy.com
name 76.72.95.73 intranet.preisroy.com
name 76.72.95.68 notify.preisroy.com
name 10.0.10.109 PRADMIN01
name 76.72.95.78 autosig.preisplc.com
name 10.0.10.11 prdc04
name 10.0.10.0 Lafayette_Servers
name 192.168.210.0 Uptime_Servers
name 192.168.219.0 Lafayette_ShoreTel
name 192.168.222.0 Uptime_Intranet
name 10.0.100.141 IOLAN-LAF
name 192.168.211.0 Lafayette_Workstations
name 192.168.212.0 Lafayette_Printers
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.31.170.195 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.3 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
nameif TW
security-level 0
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Houston
network-object Houston_Network 255.255.0.0
network-object Houston_Legacy 255.255.255.0
object-group network Lafayette
network-object Lafayette_Network 255.255.0.0
network-object Lafayette_Legacy 255.255.255.0
object-group network NewOrleans
network-object NewOrleans_Network 255.255.0.0
network-object NewOrleans_Legacy 255.255.255.0
object-group service Web_Services tcp
port-object eq www
port-object eq https
object-group network Lafayette_Vlans
network-object Lafayette_Servers 255.255.255.0
network-object Lafayette_Legacy 255.255.255.0
object-group network Uptime_Vlans
network-object Uptime_Servers 255.255.255.0
network-object Lafayette_Workstations 255.255.255.0
network-object Lafayette_Printers 255.255.255.0
network-object Lafayette_ShoreTel 255.255.255.0
network-object Uptime_Intranet 255.255.255.0
object-group network Uptime_Server_IPs
network-object host 10.99.10.27
network-object host 10.99.10.28
network-object host 10.99.10.29
network-object host 10.99.11.29
network-object host 10.99.11.30
network-object host 10.99.11.28
network-object host 10.99.10.30
network-object host 10.99.11.27
network-object host 10.99.11.56
network-object host 10.99.11.35
object-group network Lafayette_Workstations
network-object Lafayette_Workstations 255.255.255.0
object-group network Lafayette_Servers
network-object Lafayette_Servers 255.255.255.0
object-group network Uptime_Servers
network-object Uptime_Servers 255.255.255.0
object-group network Lafayette_Printers
network-object Lafayette_Printers 255.255.255.0
object-group network Lafayette_ShoreTel
network-object Lafayette_ShoreTel 255.255.255.0
object-group network Uptime_Intranet
network-object Uptime_Intranet 255.255.255.0
object-group network Lafayette_Legacy
network-object Lafayette_Legacy 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.72.95.77 eq telnet
access-list inside_nat0_outbound extended permit ip object-group Lafayette object-group Houston
access-list inside_nat0_outbound extended permit ip object-group Lafayette object-group NewOrleans
access-list inside_nat0_outbound extended permit ip Lafayette_Network 255.255.0.0 172.23.16.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip Houston_Network 255.255.0.0 172.23.16.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip NewOrleans_Network 255.255.0.0 172.23.16.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.20.16.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip object-group Lafayette_ShoreTel object-group Uptime_Server_IPs
access-list inside_nat0_outbound extended permit ip object-group Lafayette_Workstations object-group Uptime_Server_IPs
access-list inside_nat0_outbound extended permit ip object-group Lafayette_Printers object-group Uptime_Server_IPs
access-list outside_in extended permit tcp any host 76.72.32.88 eq 8006
access-list outside_in extended permit tcp any any eq h323
access-list Redistribution extended deny ip host 10.0.10.44 any
access-list 10 standard deny host 10.1.10.30
access-list 10 standard deny host 10.2.10.30
access-list 10 standard permit any
access-list FILTER-EIGRP-ROUTES standard permit Lafayette_Network 255.255.0.0
access-list FILTER-EIGRP-ROUTES standard permit 200.10.0.0 255.255.0.0
access-list tw_in extended permit tcp any any eq ssh
access-list tw_in extended permit tcp any host 173.226.159.66 eq https
access-list tw_in extended permit tcp any host 173.226.159.66 eq www
access-list Outside-CP extended deny ospf any any
access-list Outside-CP extended permit ip any any
access-list outside_3_cryptomap extended permit ip object-group Uptime_Vlans object-group Uptime_Server_IPs
access-list UPTNAT_1 extended permit ip Lafayette_Servers 255.255.255.0 object-group Uptime_Server_IPs
access-list UPTNAT_4 extended permit ip Lafayette_Legacy 255.255.255.0 object-group Uptime_Server_IPs
pager lines 24
logging enable
logging buffered informational
logging trap debugging
logging asdm informational
logging host inside 10.0.10.104
logging class vpn trap debugging
mtu outside 1500
mtu inside 1500
mtu TW 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (TW) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) intranet.preisroy.com intranet netmask 255.255.255.255 dns
static (inside,outside) Uptime_Servers access-list UPTNAT_1
static (inside,outside) Uptime_Intranet access-list UPTNAT_4
access-group Outside-CP in interface outside control-plane
access-group outside_access_in in interface outside
access-group tw_in in interface TW
!
route-map Redistribution permit 10
match ip address 10
!
!
router ospf 1
router-id 10.0.1.2
network Lafayette_Network 255.255.0.0 area 0
distance ospf external 175
log-adj-changes
redistribute static route-map Redistribution
!
route outside 0.0.0.0 0.0.0.0 4.1.1.1 1
route outside Uptime_Servers 255.255.255.0 2.1.2.2 1
route outside Uptime_Intranet 255.255.255.0 2.1.2.2 1
route inside 200.10.0.0 255.255.0.0 10.0.1.254 200
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
snmp-server host inside 10.0.10.105 community prlaw51
snmp-server host inside prdc01 community rocADVmon42 udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map interface TW
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable TW
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp am-disable
!
track 1 rtr 1 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh Lafayette_Network 255.0.0.0 inside
ssh 200.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh Lafayette_Workstations 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 TW
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.0.1.1 source inside
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 null-sha1 rc4-md5 rc4-sha1
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username admin password aT7yU7puyOEC3bQS encrypted privilege 15
username uptl password puR0JqBGoW4oFrz3 encrypted privilege 15
username dmking43 password HMpw8W0O7vHMDkGN encrypted privilege 15
username mstadmin password DwXQiqKNRYktF6Bz encrypted privilege 15
tunnel-group SSLVPN type remote-access
tunnel-group 216.17.28.242 type ipsec-l2l
tunnel-group 216.17.28.242 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b3ad0e5780c9dc78e8ab365136300b38
: end