- Cisco Community
- Technology and Support
- Security
- VPN
- Re: Unable to communicate over new site-to-site VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 02:07 PM
I used the Cisco Wizard to create a site-to-site VPN and having trouble with devices on either side communicating. The VPN is up and the ASA5505 at the remote site is able to ping the outside interface of my data center's ASA. The ASDM syslog messages on the remote ASA5505 shows both networks trying to communicate but connections show "bytes 0 SYN Timeout".
Example:
6 May 18 2021 16:55:58 10.10.1.12 2428 10.10.5.21 60337 Teardown TCP connection 34637 for outside:10.10.1.12/2428 to inside:10.10.5.21/60337 duration 0:00:30 bytes 0 SYN Timeout
Please advise and thank you in advance,
Below is the remote site's config
ASA Version 9.2(1)
!
hostname ASA5505
domain-name domain.com
enable password 3vOVTdr5/Exxx2Q encrypted
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4 eq domain
passwd 3vOVTdr5/EksxxxQ encrypted
no names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.5.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 96.x.x.x 255.255.255.248
!
boot system disk0:/asa921-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.1.100
name-server 10.0.1.101
name-server 75.75.75.75
name-server 75.75.76.76
domain-name ppcswfl.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.0.5.254
host 10.0.5.254
object network 10.0.1.0
subnet 10.0.1.0 255.255.255.0
object network 10.0.5.0
subnet 10.0.5.0 255.255.255.0
object network 10.10.1.0
subnet 10.10.1.0 255.255.255.0
object network 10.10.5.0
subnet 10.10.5.0 255.255.255.0
object network 10.100.1.0
subnet 10.100.1.0 255.255.255.0
object network 10.20.1.0
subnet 10.20.1.0 255.255.255.0
object network 10.20.5.0
subnet 10.20.5.0 255.255.255.0
object network 10.30.1.0
subnet 10.30.1.0 255.255.255.0
object network 10.35.1.0
subnet 10.35.1.0 255.255.255.0
object network 10.35.5.0
subnet 10.35.5.0 255.255.255.0
object network 10.60.1.0
subnet 10.60.1.0 255.255.255.0
object network 10.60.5.0
subnet 10.60.5.0 255.255.255.0
object-group network MARTIANS
description IP addresses that should never be seen as sources from the Internet
network-object 0.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 169.254.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.0.2.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 224.0.0.0
network-object 10.0.0.0 255.0.0.0
object-group network INTERNAL
network-object object 10.0.5.0
network-object object 10.10.5.0
network-object object 10.20.5.0
network-object object 10.35.5.0
network-object object 10.60.5.0
object-group network Private-IPs
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network Data_Center
network-object object 10.0.1.0
network-object object 10.10.1.0
network-object object 10.100.1.0
network-object object 10.20.1.0
network-object object 10.35.1.0
network-object object 10.60.1.0
access-list fromoutside extended permit ip object-group Data_Center object-group INTERNAL
access-list fromoutside extended permit icmp any any
access-list fromoutside extended permit icmp any any echo-reply
access-list fromoutside extended permit icmp any any time-exceeded
access-list fromoutside extended permit icmp any any unreachable
access-list fromoutside remark Addresses that should never be allowed
access-list fromoutside extended deny ip object-group MARTIANS any
access-list frominside extended permit ip object-group INTERNAL object-group Data_Center
access-list WebTraffic extended permit tcp any4 any4 eq www
access-list WebTraffic extended permit tcp any4 any4 eq https
access-list Classify-Voice extended permit ip any4 object 10.10.5.0
access-list Classify-Voice extended permit ip object 10.10.5.0 any4
access-list outside_cryptomap extended permit ip object-group INTERNAL object-group Data_Center
access-list VPN-Tunnel-PPC extended permit ip object-group INTERNAL object-group Data_Center
!
tcp-map mss-map
!
pager lines 60
logging enable
logging timestamp
logging buffer-size 1048576
logging console emergencies
logging monitor debugging
logging buffered debugging
logging trap notifications
logging history debugging
logging asdm informational
logging queue 0
no logging message 305012
no logging message 305011
no logging message 111009
no logging message 609002
no logging message 609001
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface inside probe
ip audit interface inside jab
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp deny any outside
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 300
no arp permit-nonconnected
nat (inside,outside) source static INTERNAL INTERNAL destination static Data_Center Data_Center no-proxy-arp route-lookup
access-group frominside in interface inside
access-group fromoutside in interface outside
route outside 0.0.0.0 0.0.0.0 96.x.x.x 1
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.20.5.0 255.255.255.0 10.20.5.1 1
route inside 10.30.5.0 255.255.255.0 10.30.5.1 1
route inside 10.35.5.0 255.255.255.0 10.35.5.1 1
route inside 10.60.5.0 255.255.255.0 10.60.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 10.0.0.0 255.255.0.0 inside
http 74.x.x.x 255.255.255.224 outside
http 10.0.0.0 255.0.0.0 outside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address VPN-Tunnel-PPC
crypto map vpn 10 set peer 74.x.x.x
crypto map vpn 10 set ikev1 transform-set AES256-SHA1
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 74.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto ikev1 policy 200
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.16.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 inside
telnet 10.0.17.0 255.255.255.0 inside
telnet 10.0.1.0 255.255.255.0 outside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 outside
ssh 74.x.x.x 255.255.255.224 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access inside
dhcprelay server 10.0.1.103 outside
dhcprelay server 10.0.1.104 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
priority-queue inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.29
ntp server 129.6.15.28
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 dhe-aes256-sha1 dhe-aes128-sha1
group-policy GroupPolicy_74.x.x.x internal
group-policy GroupPolicy_74.x.x.x attributes
vpn-tunnel-protocol ikev1
username admin password hk6vun2r5NAyUalc encrypted privilege 15
tunnel-group 74.x.x.x type ipsec-l2l
tunnel-group 74.x.x.x general-attributes
default-group-policy GroupPolicy_74.x.x.x
tunnel-group 74.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map FixWebMSS
match access-list WebTraffic
class-map Voice
match access-list Classify-Voice
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns checkdns
parameters
message-length maximum client auto
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect http
inspect icmp
inspect dns checkdns
class FixWebMSS
set connection advanced-options mss-map
policy-map VoIP
class Voice
priority
class class-default
policy-map ShaperIn
description Shaper & LLQ - shape to <95% CIR to enforce queuing then prioritize voice
class class-default
shape average 47400000
service-policy VoIP
policy-map ShaperOut
description Shaper & LLQ - shape to <95% CIR to enforce queuing then prioritize voice
class class-default
shape average 19000000
service-policy VoIP
!
service-policy global_policy global
service-policy ShaperIn interface inside
service-policy ShaperOut interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00404f6e91c9004f36583452345406b42a7
: end
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2021 01:46 AM
The output of most of the IPSec SA confirms an equal encaps|decaps number, some of the tunnels have 50000+ packets, which would indicate its working. I noticed an issue between 10.0.1.0 and 10.60.5.0, the output below from the 5515 would indicate the 5515 is receiving packets, but not returning the packets.
access-list outside_cryptomap_4 extended permit ip 10.0.1.0 255.255.255.0 10.60.5.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.60.5.0/255.255.255.0/0/0)
current_peer: 96.x.x.x
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 563, #pkts decrypt: 563, #pkts verify: 563
So that would usually indicate a problem with traffic not being translated correctly (that doesn't appear to be the case from your packet-tracer output). Or a routing or local firewall/ACL issue.
How exactly are you testing each network?
What device in the 10.0.1.0 was being communicated with from 10.60.5.0 network?
Does it have a reverse path to 10.60.5.0?
Is it a device with a local firewall or ACL configured?
If it is a switch or router you are communicating with, enable icmp debug to confirm the ping is received or enable a packet capture.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 02:26 PM - edited 05-18-2021 02:30 PM
Can you provide the configuration of the other ASA?
If the tunnel is up, check the output of "show crypto ipsec sa" from both ASA, confirm the encaps|decaps are increasing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 04:20 PM - edited 05-19-2021 02:21 PM
Thanks for response, Rob!
Below is other ASA (data center) config - I did some redacting so let me know if you think something is amiss. I also included output results from the show crypto ipsec sa ( I ran on the remote ASA)
Ran the below command on remote ASA5505
Show crypto ipsec sa
these encaps|decaps are increasing (see additional encaps below)
Crypto map tag: outside_map, seq num: 1, local addr: 96.x.x.x
access-list outside_cryptomap extended permit ip 10.10.5.0 255.255.255.0 10.10.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
current_peer: 74.x.x.x
#pkts encaps: 2750, #pkts encrypt: 2750, #pkts digest: 2750
#pkts decaps: 5879, #pkts decrypt: 5879, #pkts verify: 5879
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2750, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
These encaps|decaps are not increasing
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 96.x.x.x
access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 10.0.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer: 74.x.x.x
#pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31
#pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 31, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
Below is data center ASA config
Hardware: ASA5515,
ASA Version 9.9(2)
hostname ASA5515
domain-name domain.com
enable password dnaboswekt encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd Hm1oFvAsp.nzcNJT encrypted
no names
dns-guard
ip local pool vpnpool 192.168.16.5-192.168.16.15
ip local pool Workspace 192.168.2.2-192.168.2.120 mask 255.255.255.128
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 74.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
ip address 10.60.1.2 255.255.255.0
!
interface Management0/0
description Management NIC is going to be taken over by IPS management - do not configure this interface
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa992-smp-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.1.102 inside
name-server 10.0.1.99 inside
name-server 10.0.1.100 inside
domain-name domain.com
object network LoadBalancer3389
host 10.0.1.14
description Load Balancer RDP Only
object network LoadBalancer80
host 10.0.1.17
description Load Balancer for Port 80
object network IT01-DT
host 10.70.2.70
object network HOST-10.0.1.131
host 10.0.1.131
object network HOST-10.0.1.141
host 10.0.1.141
object network HOST-10.0.1.252
host 10.0.1.252
object network HOST-10.10.11.2
host 10.10.11.2
object network HOST-10.0.1.111
host 10.0.1.111
description Old Exchange server
object network HOST-10.70.2.72
host 10.70.2.72
object network HOST-10.70.2.77
host 10.70.2.77
object network HOST-10.70.2.74
host 10.70.2.74
object network NET-10.0.2.0
subnet 10.0.2.0 255.255.255.0
object network NET-10.0.3.0
subnet 10.0.3.0 255.255.255.0
object network NET-10.0.6.0
subnet 10.0.6.0 255.255.255.0
object network NET-10.0.7.0
subnet 10.0.7.0 255.255.255.0
object network NET-10.0.8.0
subnet 10.0.8.0 255.255.255.0
object network NET-10.0.9.0
subnet 10.0.9.0 255.255.255.0
object network NET-10.0.11.0
subnet 10.0.11.0 255.255.255.0
object network NET-10.0.12.0
subnet 10.0.12.0 255.255.255.0
object network NET-10.0.14.0
subnet 10.0.14.0 255.255.255.0
object network NET-10.0.17.0
subnet 10.0.17.0 255.255.255.0
object network NET-172.30.1.0
subnet 172.30.1.0 255.255.255.0
object network NET-ALL-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network 10.0.4.0
subnet 10.0.4.0 255.255.255.0
description Lewis-MCIM
object network 10.0.1.0
subnet 10.0.1.0 255.255.255.0
object network Remote-Lewis-10.0.4.0
subnet 10.0.4.0 255.255.255.0
description Lewis-MCIM
object network NET-10.0.1.0
subnet 10.0.1.0 255.255.255.0
object network NET-192.168.16.0
subnet 192.168.16.0 255.255.255.240
object network NET-10.0.0.0
subnet 10.0.0.0 255.255.0.0
object network NET-192.168.17.0
subnet 192.168.17.0 255.255.255.224
object network 10.10.0.0
subnet 10.10.0.0 255.255.0.0
description Voice Network
object network NETWORK_OBJ_192.168.16.0_28
subnet 192.168.16.0 255.255.255.240
object network MyApps-10.0.1.19
host 10.0.1.19
description MyApp for RDP
object network 74.5.234.107
host 74.x.x.107
description MyApp for RDP
object network MyApp-10.0.1.19
host 10.0.1.19
description MyApp for RDP
object network 74.5.234.106
host 74.x.x.106
description My App for RDP
object network MyApp-10.0.1.226
host 10.0.1.226
object network 10.0.1.131
host 10.0.1.131
object network HOST-10.0.1.14
host 10.0.1.14
description IP for Barracuda LB - Workspace
object network Workspace
host 10.0.1.14
description Workspace RDP
object network 10.0.1.135
host 10.0.1.135
description Guest
object network 74.x.x.120
host 74.x.x.120
object network NETWORK_OBJ_192.168.2.0_25
subnet 192.168.2.0 255.255.255.128
object network NETWORK_OBJ_10.0.100.0_24
subnet 10.0.100.0 255.255.255.0
object network 192.168.100.104
host 192.168.100.104
object network NET-10.0.16.0
subnet 10.0.16.0 255.255.255.0
object network NET-10.0.5.0
subnet 10.0.5.0 255.255.255.0
object network 10.35.5.0
subnet 10.35.5.0 255.255.255.0
object network NETWORK_OBJ_10.0.1.0_24
subnet 10.0.1.0 255.255.255.0
object network 10.35.1.0
subnet 10.35.1.0 255.255.255.0
object-group network PPCANetworks
network-object 10.0.1.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.0.6.0 255.255.255.0
network-object 10.0.7.0 255.255.255.0
network-object 10.0.8.0 255.255.255.0
network-object 10.0.9.0 255.255.255.0
network-object 10.0.11.0 255.255.255.0
network-object 10.0.12.0 255.255.255.0
network-object 10.0.13.0 255.255.255.0
network-object 10.0.100.0 255.255.255.0
network-object 10.0.5.0 255.255.255.0
network-object 10.0.14.0 255.255.255.0
network-object 10.10.2.0 255.255.255.0
network-object 10.10.3.0 255.255.255.0
network-object 10.10.5.0 255.255.255.0
network-object 10.10.6.0 255.255.255.0
network-object 10.10.7.0 255.255.255.0
network-object 10.10.8.0 255.255.255.0
network-object 10.10.9.0 255.255.255.0
network-object 10.10.11.0 255.255.255.0
network-object 10.10.12.0 255.255.255.0
network-object 10.10.13.0 255.255.255.0
network-object 10.10.14.0 255.255.255.0
network-object 10.20.2.0 255.255.255.0
network-object 10.20.3.0 255.255.255.0
network-object 10.20.5.0 255.255.255.0
network-object 10.20.6.0 255.255.255.0
network-object 10.20.7.0 255.255.255.0
network-object 10.20.8.0 255.255.255.0
network-object 10.20.9.0 255.255.255.0
network-object 10.20.11.0 255.255.255.0
network-object 10.20.12.0 255.255.255.0
network-object 10.20.13.0 255.255.255.0
network-object 10.20.14.0 255.255.255.0
network-object 10.30.2.0 255.255.255.0
network-object 10.30.3.0 255.255.255.0
network-object 10.30.5.0 255.255.255.0
network-object 10.30.6.0 255.255.255.0
network-object 10.30.7.0 255.255.255.0
network-object 10.30.8.0 255.255.255.0
network-object 10.30.9.0 255.255.255.0
network-object 10.30.11.0 255.255.255.0
network-object 10.30.12.0 255.255.255.0
network-object 10.30.13.0 255.255.255.0
network-object 10.30.14.0 255.255.255.0
network-object 10.40.2.0 255.255.255.0
network-object 10.40.3.0 255.255.255.0
network-object 10.40.5.0 255.255.255.0
network-object 10.40.6.0 255.255.255.0
network-object 10.40.7.0 255.255.255.0
network-object 10.40.8.0 255.255.255.0
network-object 10.40.9.0 255.255.255.0
network-object 10.40.11.0 255.255.255.0
network-object 10.40.12.0 255.255.255.0
network-object 10.40.13.0 255.255.255.0
network-object 10.40.14.0 255.255.255.0
network-object 10.50.3.0 255.255.255.0
network-object 10.50.9.0 255.255.255.0
network-object 10.60.2.0 255.255.255.0
network-object 10.60.3.0 255.255.255.0
network-object 10.60.5.0 255.255.255.0
network-object 10.60.6.0 255.255.255.0
network-object 10.60.7.0 255.255.255.0
network-object 10.60.8.0 255.255.255.0
network-object 10.60.9.0 255.255.255.0
network-object 10.60.11.0 255.255.255.0
network-object 10.60.12.0 255.255.255.0
network-object 10.60.13.0 255.255.255.0
network-object 10.60.14.0 255.255.255.0
network-object 10.70.2.0 255.255.255.0
network-object 10.70.5.0 255.255.255.0
network-object 10.70.2.71 255.255.255.255
network-object 10.0.17.0 255.255.255.0
network-object 10.10.17.0 255.255.255.0
network-object 10.20.17.0 255.255.255.0
network-object 10.30.17.0 255.255.255.0
object-group network MARTIANS
description IP addresses that should never be seen as sources from the Internet
network-object 0.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 169.254.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.0.2.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 224.0.0.0 224.0.0.0
object-group network Private-IPs
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network PedsSouth_Network
network-object 10.10.5.0 255.255.255.0
network-object 10.20.5.0 255.255.255.0
network-object 10.30.5.0 255.255.255.0
network-object 10.60.5.0 255.255.255.0
network-object 10.0.5.0 255.255.255.0
network-object 10.35.5.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 10.0.100.0 255.255.255.0
network-object 10.0.17.0 255.255.255.0
network-object 10.10.14.0 255.255.255.0
network-object 10.60.1.0 255.255.255.0
network-object object 10.0.1.0
network-object object 10.10.1.0
access-list FROM_OUTSIDE extended deny ip object-group MARTIANS any4
access-list VPN_IT_ST extended permit ip 10.0.0.0 255.255.0.0 192.168.16.0 255.255.255.240
access-list VPN_PPC_ST extended permit ip 10.0.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list VPN_PPC_ST extended permit ip 10.0.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list VPN_PPC_1 extended permit ip 10.0.20.0 255.255.255.0 10.0.22.0 255.255.255.0
access-list GLOBAL extended permit ip object-group Private-IPs any4
access-list GLOBAL extended permit icmp any4 any4 echo-reply
access-list GLOBAL extended permit icmp any4 any4 time-exceeded
access-list GLOBAL extended permit icmp any4 any4 unreachable
access-list GLOBAL extended permit tcp any4 object HOST-10.0.1.141 eq smtp
access-list GLOBAL extended permit tcp any4 object HOST-10.0.1.20 eq https
access-list GLOBAL extended permit tcp any4 object HOST-10.0.1.20 eq www
access-list GLOBAL extended permit tcp any4 object LoadBalancer3389 eq 3389 inactive
access-list GLOBAL extended permit tcp any4 object LoadBalancer80 eq www inactive
access-list GLOBAL extended permit tcp any4 object Workspace eq 3389 inactive
access-list GLOBAL extended permit tcp any4 object HOST-10.70.2.72 eq 3389 inactive
access-list GLOBAL extended permit tcp any4 object HOST-10.70.2.77 eq 3389 inactive
access-list GLOBAL extended permit tcp any4 object HOST-10.70.2.74 eq 3389 inactive
access-list GLOBAL extended permit ip object 10.0.4.0 object 10.0.1.0 inactive
access-list GLOBAL extended permit ip object 10.0.1.0 object 10.0.4.0 inactive
access-list GLOBAL extended permit tcp any4 object MyApps-10.0.1.19 eq www
access-list GLOBAL remark MyApps for RDP
access-list GLOBAL extended permit tcp any4 object MyApps-10.0.1.19 eq https
access-list GLOBAL remark MyApps for RDP
access-list GLOBAL extended permit udp any4 object MyApp-10.0.1.226 eq 3391
access-list GLOBAL extended permit tcp any4 object MyApp-10.0.1.226 eq https
access-list GLOBAL remark MyApps for RDP
access-list GLOBAL extended permit tcp any4 object MyApp-10.0.1.226 eq www
access-list VPN_PPC_5 extended permit ip object 10.10.0.0 any
access-list outside_cryptomap_1 extended permit ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list Workspace remark Workspace - Barracuda LB
access-list Workspace extended permit ip object HOST-10.0.1.14 any
access-list Workspace extended permit ip any object HOST-10.0.1.14
access-list outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_1 object-group PedsSouth_Network
!
tcp-map mss-map
tcp-options md5 clear
!
pager lines 60
logging enable
logging timestamp
logging list Syslog-level critical
logging buffer-size 1048576
logging console warnings
logging monitor emergencies
logging buffered debugging
logging history warnings
logging asdm notifications
logging mail errors
logging host inside 10.0.2.50
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2151 disable
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any inside
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static Private-IPs Private-IPs destination static Private-IPs Private-IPs no-proxy-arp route-lookup
nat (outside,outside) source static Private-IPs Private-IPs destination static Private-IPs Private-IPs no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NET-192.168.16.0 NET-192.168.16.0 no-proxy-arp route-lookup
nat (inside,outside) source static NET-10.0.0.0 NET-10.0.0.0 destination static NET-192.168.16.0 NET-192.168.16.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NET-192.168.17.0 NET-192.168.17.0 no-proxy-arp route-lookup
nat (outside,outside) source static 10.10.0.0 10.10.0.0 destination static NETWORK_OBJ_192.168.16.0_28 NETWORK_OBJ_192.168.16.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static PPCANetworks PPCANetworks destination static PedsSouth_Network PedsSouth_Network no-proxy-arp route-lookup
nat (outside,inside) source static PedsSouth_Network PedsSouth_Network destination static PPCANetworks PPCANetworks no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static PedsSouth_Network PedsSouth_Network no-proxy-arp route-lookup
!
object network LoadBalancer3389
nat (inside,outside) static 74.x.x.101 service tcp 3389 3389
object network LoadBalancer80
nat (inside,outside) static 74.x.s.101 service tcp www www
object network HOST-10.0.1.131
nat (inside,outside) static interface service tcp 55443 55443
object network HOST-10.0.1.141
object network NET-172.30.1.0
nat (inside,outside) dynamic interface
object network NET-ALL-10.0.0.0
nat (inside,outside) dynamic interface
object network MyApp-10.0.1.19
object network HOST-10.0.1.135
nat (inside,outside) static interface service tcp 55443 55443
object network NET-10.90.0.0
object network NET-10.0.16.0
nat (inside,outside) dynamic 74.x.x.110
access-group FROM_OUTSIDE in interface outside
access-group GLOBAL global
route outside 0.0.0.0 0.0.0.0 74.5.234.97 1
route inside 10.0.0.0 255.0.0.0 10.0.1.1 1
route outside 10.0.5.0 255.255.255.0 74.x.x.97 1
route outside 10.0.22.0 255.255.255.0 74.x.x.97 1
route outside 10.1.1.29 255.255.255.255 74.x.x.97 1
route outside 10.10.5.0 255.255.255.0 74.x.x.97 1
route outside 10.20.5.0 255.255.255.0 74.x.x.97 1
route outside 10.30.5.0 255.255.255.0 74.x.x.97 1
route outside 10.35.5.0 255.255.255.0 74.x.x.97 1
route outside 10.48.239.0 255.255.255.0 74.x.x.97 1
route outside 10.60.5.0 255.255.255.0 74.x.x.97 1
route inside 172.30.1.0 255.255.255.0 10.0.1.1 1
route inside 192.168.0.0 255.255.0.0 10.0.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server Kerby protocol kerberos
aaa-server Kerby (inside) host 10.0.1.100
kerberos-realm DOM.LOCAL
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.0.1.100
key *****
radius-common-pw *****
aaa-server DomainController protocol ldap
aaa-server DomainController (inside) host 10.0.1.99
timeout 5
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.0.0 inside
http 192.168.16.0 255.255.255.0 outside
snmp-server host inside 10.0.17.70 trap community ***** version 2c udp-port 161
snmp-server host inside 10.0.2.50 trap community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
crypto ipsec ikev1 transform-set strong esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set AES-128-SHA1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map EveryoneElse 10 set pfs group1
crypto dynamic-map EveryoneElse 10 set ikev1 transform-set AES256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map PPCAVPN 1 match address outside_cryptomap_2
crypto map PPCAVPN 1 set peer 162.209.120.101
crypto map PPCAVPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map PPCAVPN 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map PPCAVPN 2 match address outside_cryptomap_4
crypto map PPCAVPN 2 set peer 96.x.x.x
crypto map PPCAVPN 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map PPCAVPN 6500 ipsec-isakmp dynamic EveryoneElse
crypto map PPCAVPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint self
enrollment self
fqdn vpn.domain.com
subject-name CN=vpn.domain.com
crl configure
crypto ca trustpoint ssl-cert
enrollment terminal
fqdn vpn.domain.com
subject-name CN=vpn.domain.com, OU=IT, O=PPC, C=US, St=FL, L=Cape Coral
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
subject-name CN=10.0.1.254,CN=ASA5515
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_1
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 14400
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.16.0 255.255.255.0 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.29
ntp server 129.6.15.28
tftp-server inside 10.0.17.70 c:\TFTP-Root
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 inside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-4.1.06013-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.1.06013-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IT_ST
default-domain value ppca-dom.local
group-policy PPCAVPN internal
group-policy PPCAVPN attributes
wins-server value 10.0.1.100 10.0.1.101
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_PPC_ST
default-domain value ppca-dom.local
group-policy -ANYCON internal
group-policy -ANYCON attributes
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_PPC_2
default-domain value ppca-dom.local
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
default-domain value domain.com
group-policy GroupPolicy_96.x.x.x internal
group-policy GroupPolicy_96.x.x.x attributes
vpn-tunnel-protocol ikev1
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clink-temp_splitTunnelAcl
default-domain value ppca-dom.local
group-policy Wand internal
group-policy Workspace internal
group-policy Workspace attributes
wins-server none
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ikev1 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Workspace
default-domain value domain.com
dns-server value 10.0.1.100 10.0.1.101
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clink-temp_splitTunnelAcl
default-domain value domain.com
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record "VPN Group"
description "VPN Group"
priority 1
username ppc-new password 1AHgt/dZ. encrypted
username ppc-new attributes
service-type remote-access
service-type remote-access
authentication-server-group vpn
default-group-policy VPN-IT
tunnel-group VPN-IT ipsec-attributes
ikev1 pre-shared-key *****
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Workspace type remote-access
tunnel-group Workspace general-attributes
address-pool Workspace
authentication-server-group Kerby
default-group-policy Workspace
tunnel-group Workspace webvpn-attributes
group-alias Workspace disable
group-alias Workspace-Anycon enable
authentication-server-group Kerby
tunnel-group 96.x.x.x type ipsec-l2l
tunnel-group 96.x.x.x general-attributes
default-group-policy GroupPolicy_96.x.x.x
tunnel-group 96.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map FixWebMSS
class-map SendToIPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect http
inspect icmp
class SendToIPS
ips inline fail-open
class FixWebMSS
set connection advanced-options mss-map
!
service-policy global_policy global
smtp-server 10.0.1.68 10.0.1.75
prompt hostname
no call-home reporting anonymous
hpm topN enable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2021 02:14 PM - edited 05-19-2021 02:17 PM
I ran this NAT statement on ASA5505 (remote) and can now communicate with site switch (10.0.5.1), however I still cannot communicate with the other subnets (10.10.5.x, 10.20.5.x, 10.35.5.x, 10.60.5.x).
nat (inside,outside) source static INTERNAL INTERNAL destination static Data_Center Data_Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2021 02:39 PM
For the other subnets, do you have an IPSec SA? You should have multiple SAs for each source/destination. Provide the output.
Run packet-tracer from the CLI twice and provide the output, run this on both ASA.
Provide the outputs as attachments, clearly identified.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2021 05:18 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2021 01:46 AM
The output of most of the IPSec SA confirms an equal encaps|decaps number, some of the tunnels have 50000+ packets, which would indicate its working. I noticed an issue between 10.0.1.0 and 10.60.5.0, the output below from the 5515 would indicate the 5515 is receiving packets, but not returning the packets.
access-list outside_cryptomap_4 extended permit ip 10.0.1.0 255.255.255.0 10.60.5.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.60.5.0/255.255.255.0/0/0)
current_peer: 96.x.x.x
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 563, #pkts decrypt: 563, #pkts verify: 563
So that would usually indicate a problem with traffic not being translated correctly (that doesn't appear to be the case from your packet-tracer output). Or a routing or local firewall/ACL issue.
How exactly are you testing each network?
What device in the 10.0.1.0 was being communicated with from 10.60.5.0 network?
Does it have a reverse path to 10.60.5.0?
Is it a device with a local firewall or ACL configured?
If it is a switch or router you are communicating with, enable icmp debug to confirm the ping is received or enable a packet capture.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2021 12:21 PM
Thank you so much for your time and response, Rob!
It was a routing issue (per your last post) with static routes on 5505 (remote ASA) pointing to the wrong IPs. The additional subnets should have been pointed to the switch IP (see below). On the site switch (a Procurve), each of my subnets are in their own VLAN and the addresses I had were the actual default gateway for their respective VLAN, however they were not what was needed for ASA config to route traffic properly . Hope that makes since for anyone else that comes across this post.
Below is what I had configured on the remote ASA...
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.20.5.0 255.255.255.0 10.20.5.1 1
route inside 10.30.5.0 255.255.255.0 10.30.5.1 1
route inside 10.35.5.0 255.255.255.0 10.35.5.1 1
route inside 10.60.5.0 255.255.255.0 10.60.5.1 1
...and this is what it should look like to work.
route inside 10.10.5.0 255.255.255.0 10.0.5.1 1
route inside 10.20.5.0 255.255.255.0 10.0.5.1 1
route inside 10.30.5.0 255.255.255.0 10.0.5.1 1
route inside 10.35.5.0 255.255.255.0 10.0.5.1 1
route inside 10.60.5.0 255.255.255.0 10.0.5.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide